Websense security labs have been tracking the Nine-Ball mass compromise attack since early June. They report to date, that over 40,000 legitimate Web sites have been compromised and are actively infected with an information-stealing trojan.
The Nine-Ball attack is deployed when a user visits a legitimate website that has been infected with the malicious code. From the legitimate website, unsuspecting users are redirected behind the scenes through a series of different sites owned by the Nine-Ball’s hackers.
The diagram below depicts a typical url progression that happens behind the scenes during a Nine-Ball deployment.
Nine-Ball Progresstion
When an infected site is visited for the first time, the user is directed to the ninetoraq.in exploit payload site where the visitor’s IP address is recorded and the trojan download is installed.
If a user on the same IP visits the legitimate website again, he or she is directed to the benign site of ask.com. Security experts speculate that the Nine-Ball hackers are using a benign destination url to throw cyber security investigators and cyber crime analysts off track.
The scary part is that most antivirus applications will not detect Nine-Ball’s malicious code. Websense experts report, that “the exploit is detected by only three of the 41 most commonly used AV programs.”
This entry was posted on Tuesday, June 23rd, 2009 at 9:00 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
