Alerts
Mass Injection Compromises More than Twenty-Thousand Web Sites
Date:05.29.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
Screenshot of injected code in an injected site:
The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.
Websense® Messaging and Websense Web Security customers are protected against this attack.