back to article PC-pwning infection hits 30,000 legit websites

A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Noscript ftw!

    Yet another attack thats preventable with noscript. If everyone used it properly (eg. not turning on scripts everytime they see a blocked one), cyberspace would be a safer place.

  2. Pierre
    Linux

    Oh, you mean *Windows* PC then.

    Should we assume that the Linux, *BSD or Apple PCs are immune?

  3. Anonymous Coward
    Anonymous Coward

    Only Windows

    I am safe with my Amiga.

    If two more people use Amiga's then we will equal the number of Mac users (only the Amiga has more software available).

  4. Anonymous Coward
    Happy

    I'm safe then.

    I block "Google Analytics" by default on all websites, regardless of whether I have them on my trusted "White" list..

    YEAH!! NOSCRIPT!!!!

  5. Apocalypse Later

    @Pierre

    That's a good idea. Assume that you are safe from all threats. Only Windows PCs use javascript after all.

  6. Big Al
    Coat

    I for one...

    ...welcome our new polymorphic obfusticating overlords. Got to be an improvement on Europe's current crop of politicians, whose morphing and obfustication leave much to be desired.

  7. Anonymous Coward
    Joke

    This is why we need....

    ...PHORM!

  8. Anonymous Coward
    Anonymous Coward

    NoScript is not a saviour

    NoScript only provides safety in the same way that turning your computer off provides safety. If you want to do anything which involves script type objects then you have to start allowing them. That means you have to start making judgement calls on what is safe to allow. The whole point of this is that you may have already made that call in order to have usable functionality from a trusted site. That trusted site may now be serving up this malware. NoScript is very useful but ultimately the user has to walk a line between risky objects and usable sites, and for the most part has no clear direction for where that line is.

  9. Matthew Anderson
    Happy

    @By Anonymous Coward 07:54 GMT

    Your comment made my afternoon ;-)

  10. Brian Whittle

    the key here is ...

    if your PC is up to date all you get is a popup. So keep you pc upto date , use firefox with noscript and you are sorted

  11. Anonymous Coward
    Anonymous Coward

    Javascript is only half the story

    I'm sure the intended target for the "potent malware cocktail" is Windows though.....

    or perhaps its scanning for GNU/Linux users who have unpatched vulns that are remote exploits &

    then trying to get them to install a (GNU/Linux) package containing "anti-virus" software. What do you think, Apocalypse Later?

  12. Anonymous Coward
    Thumb Down

    NoScript only half a solution

    NoScript is great if you don't want to do that much on the 'web.

    Sadly almost any website where you want or need to do anything interactive on it (I'm thinking shopping, online banking, library catalogues, you name it) require scripts. So fuck it you either keep safe but fail to do what you need to, or you take a gamble and tentatively enable one of the domains blocked until you get enough functionality working to complete what you need to.

    We either need a new way of doing 'useful stuff' on websites that doesn't use scripts, or give up and go back to the old way of going to shops and banks, or calling them up using the phone :-\

  13. JC

    Noscript Still A Good Measure

    There are some easy choices that allow noscript to remain fairly effective. Even if you allowed a script from a trusted site because it was obvious the functionality of the site was missing without it, once you were redirected to the other site you have no reason to allow scripting there, no reason to allow scripting from another 3rd party site, nor a reason to install rogue anti-virus software from a popup window.

  14. Anonymous Coward
    Paris Hilton

    Loathsome as it is

    you got to admire the brilliance of the minds that can polymorph and obfuscate beyond reasonable detection.

    Now if only the got (or could get?) a proper job contributing positively...

  15. Joshua

    Another good reason I use a sandbox on my web browser when using windows

    C'mon, hasn't everyone seen Sandboxie yet? www.sandboxie.com

    I can browse any website with impugnity.. If something happens I dont like, I can terminate every process spawned by the browser and delete everything it's done since the last time I decided to empty the sandbox. Why would you risk exposing your whole computer to the world every time you open a webpage.. sheesh!

  16. Alfazed
    Thumb Down

    No Script ?

    Luba kok antud lehel ?

    Yeah right !!!!!!!

    If this is familiar to anyone using No Script, perhaps they can translate it for the benefit of my teenage daughters and me.

    It could be ........... Serbian (?) Russian (?)

    Thanks No Script.

    I still use it every day, even though I don't know what it says.

    ALF

  17. John Smith Gold badge
    Unhappy

    Seen this on an academic website

    Next thing I knew I was looking at a map of my local drives and a message saying I got a virus detected. Killed the tab instantly.

    AVG site labelling reported the site was OK.

    But 30 000 web sites invaded. WTF

  18. Anonymous Coward
    Anonymous Coward

    Drop My Rights?

    Would DropMyRights be effective in such a scenario (for XP users)? I use it all the time anyway, along with NoScript and IsAdmin.

    http://news.cnet.com/8301-13554_3-9756656-33.html

  19. Bernie
    Linux

    Re: Chris

    "NoScript only provides safety in the same way that turning your computer off provides safety"

    I agree. I've used NoScript several times in the past and I found it a pain in the ass.

    Maybe you NoScripters visit the same selection of sites all the time but I visit new sites on a daily basis. Configuring NoScript every time in an attempt to make each new site half usable turned surfing the web into an ordeal. Did NoScript even stop me getting infected? I doubt it as I never got infected via my web browser before using NoScript. It was, therefore, a massive waste of time.

    Now I've switched to Linux and all I need to be secure is my common sense. You NoScripters really need to give it a try sometime if you actually care about security but I suspect many of you only use NoScript because you want the illusion of security.

  20. Anonymous Coward
    Anonymous Coward

    Sandboxie

    "I can browse any website with impugnity."

    Such complacency will eventually see you picking up malware, the authors of which are already working on ways to modify behaviour when detected running in a virtual environment. You will hit exactly the same problem that NoScript users have - do I allow (or recover from sandbox) or not. Eventually you will recover something which appeared benign and it will get onto your main system. That's if increased vulnerability attacks on the likes of Sandboxie, and other virtualised environments, don't pick you off first.

  21. Lionel Baden

    used noscript

    got fucked off with stuff not working got rid of it !

    malwarebytes can be used if need be ..

  22. Jason Togneri
    Stop

    I thought El Reg was for people who knew something about IT

    @ Lionel Baden: good solution, let's wait until somebody steals our bank details or make us part of a DDoSing botnet and *then* we'll start cleaning it up. Never heard the phrase "prevention is better than cure"?

    @ John Smith: you probably just fell for an old trick where your browser reflects your system environment variables back at you, and nobody else would see those details. That trick's been around since Windows 95 and has great shock value, but little else.

    @ NoScript haters: yes, it's not perfect, but neither is configuring a firewall to allow apps in/out every time I have a new app. Shall we just bother with firewalls either, because they're inconvenient? Oh god, heaven forbid we have a little bit of good old fashioned effort combined with a little bit of good old fashioned common sense, that would surely be too much. Let's just stick with one-click-idiot-level-simple and nice shiny websites that look pretty and deliver malware, than have to make even the slightest, most basic bit of effort. I, too, hated NoScript when I first used it. I've reinstalled it since and taken a little bit of time to figure out how it all works, and now I love it. Grow up and stop viewing the internet in terms of black and white.

  23. Fenstar

    Software

    Any idea of the software affected? I presume it was a CMS?

  24. Steven Burn

    Just a correction ....

    .... the fact it's obfuscated actually makes it easier to spot as obfuscated scripts are instantly analyzed when I come across them (specifically because I want to know what they're trying to hide from me)

  25. Anonymous Coward
    Anonymous Coward

    Fyi

    Blocking google analytics won't help because it's not being served by analytics, just something that looks like it.

    Noscript probably _will_ work because even if the initial render is being served by the trusted website it's still referencing external javascript, which will not be trusted by default by NoScript even if the rendering site is.

    If my wife can handle NoScript, I don't see why any reasonably computer literate person shouldn't be able to.

  26. Conrad Longmore
    Unhappy

    What's the effing point?

    What is the effing point of giving out scary advisories with useful information missing... such as the domain names we should be checking for in our log files?

  27. Gianni Straniero
    Boffin

    More details, please

    If I may interrupt the lusers boasting about Linux and Noscript for a moment, I'd like to know the details of this "common application" vulnerable to SQL injection. Some of us have to look after these web servers, you know.

  28. Chris Ovenden
    Thumb Up

    NoScript is changing web development

    The number of sites which absolutely require javascript is decreasing. Nowadays it is much easier to argue for a scriptless fallback to every bit of javascript functionality with clients and pointy-haired bosses, due in part to the rise of NoScript. Which in turn makes it more likely people will use NoScript, confident that sites they're using will still actually work.

    Half a million downloads per week is not to be sniffed at (although that probably only translates to about half a million active users, as it is very frequently updated).

    Also, I haven't studied this particular attack, but it would be unusual if the script is hosted on the same domain as the site, as that would require two separate modifications to the site's code. In which case the most common NoScript habit of only allowing scripts from the same domain would prevent it from running, assuming the site is in the user's whitelist or actually requires scripts to be enabled. IMO NoScript is "good enough" protection against script-borne attacks. Shame it requires a certain level of knowledge to use effectively.

  29. Ian McNee
    Linux

    So...it's better with Windows?

    This is interesting in light of Saturday's other article on El Reg about the M$/Asus puff-piece/FUD website www.itsbetterwithwindows.com for netbooks (http://www.theregister.co.uk/2009/05/30/its_better_with_windows/).

    Netbooks with Linux are one of the IT industry's best efforts at producing secure on-line appliances for Jo/Jill Public to use with relative confidence that they won't be pWn3d. All the more so with so many legit websites compromised in this way. Just a shame to see a decent company like Asus get muscled into M$'s monopolistic attempts to crush all that is Open Source.

  30. Steve

    Hmm

    Any of you guysd noticed that annoying MSN messagner one thats floating around also.

    The user keeps sending you daft messages..

    You then tell the user and they dont belive you lol

  31. Steve Taylor

    Re: Alfazed

    Luba kok antud lehel == Permission granted to No. page (using Google Estonian translation)

  32. Anonymous Coward
    Flame

    I could have put money on the first post.

    Now stop your cock waving.

  33. Cameron Colley

    RE: I could have put money on the first post.

    While it may be "cock waving" a little it's also a nice reminder to use said product. NoScript _seems_ to have prevented the malware downloading onto my PC so it's worth installing.

    One of the sites that host the code seems to be m-analytics.net -- there's is the only other domain wanting to run scripts on my machine on a webiste I know to be infected.

  34. Anonymous Coward
    Anonymous Coward

    Isn't NoScript malware itself?

    Awful plugin, just turn off JavaScript in FF under.

    Edit->Preferences->Untick Enable Javascript

    If you don't want to use JavaScript.

    Though JavaScript is hardly ever the problem, normally an activeX object or Flash is at the end of it, and JavaScript if used is actually more likely to break the chain of compromise.

  35. John Smith Gold badge
    Happy

    @ Jason Togneri

    "you probably just fell for an old trick where your browser reflects your system environment variables back at you"

    That sounds about right. However my usual response is *never* to click on something offered as a "Solution." Just dump the page. On the up side from the article the attack failed to find any of the silent gaps it would have used otherwise.

This topic is closed for new posts.

Other stories you might like