Approximately 230 UK websites have been infected with malware that is being delivered dynamically, according to security vendor ScanSafe.
The malware being delivered ranges from backdoor Trojans to rootkits, said ScanSafe researcher Mary Landesman.
The companies hosting the sites are being hit with dynamic modules of JavaScript that are proving very difficult to get rid of, according to Landesman.
"Even though the hosts are working diligently, their systems are being recompromised repeatedly," Landesman told ZDNet.co.uk on Thursday. "This is not just a matter of wipe and restore. The attack is extremely sophisticated."
The complexity lies in discovering how the hosting companies are being infected and reinfected, said Landesman, who declined to name the companies involved. ScanSafe is in the process of investigating the infection process, with security researchers from SecureWorks.
"The million-dollar question is how the [JavaScript] modules are getting onto the host server," said Landesman. "It's that initial entry we're still trying to figure out."
The researchers initially suspected reinfection to be the result of a rootkit-enabled Loadable Kernel Module planted on the host servers. However, Landesman said this is now looking less likely, as a number of the hosts rebuilt their Apache kernels, and suffered reinfection.
"There could be some underlying compromise, but a rootkit on the server is seeming less likely," said Landesman. "There could be a rootkit or backdoor on a managing workstation in the host."
Not only are the hosts being mysteriously reinfected, but the malware delivery process is itself dynamic, making detection via antivirus signatures difficult, said ScanSafe. When a user visits an infected site with JavaScript enabled on their browser, they are infected by JavaScript files with randomly assigned five-character names.
"Once they are in the door, the attackers are leveraging the promiscuous behaviour of modules on Apache servers to accept and run scripts — they're responsible for controlling the impact of malware we're seeing on the websites," said Landesman. "The scripts are randomly generated."
The JavaScript files can infect users with up to a dozen exploits, including an Apple QuickTime Real-Time Streaming Protocol vulnerability, an older Microsoft Data Access Components vulnerability, as well as sophisticated Trojans and rootkits, according to a post on the ScanSafe blog.
Read this
Feature: Cracking open the cybercrime economy
Hacking for fun has evolved into hacking for profit, and created a business model that is nearly as sophisticated as that of legal software
The randomly named and dynamically created JavaScript references and files are also randomly delivered, said ScanSafe. That delivery is not based on whether malware has been delivered to that user before; it will deliver the script to the same IP address multiple times.
Another piece of the puzzle is the high amount of traffic to infected sites, which ScanSafe describes as "unexpectedly high".
While 230 predominantly UK sites are known to be infected, exact numbers of infected sites and hosts are difficult to gauge, said Landesman.
Compromised sites in the past have predominantly had static iframe code pointing to malicious sites, served by a host. This makes it relatively easy to detect which hosts are infected, said ScanSafe, as a search on the contents of the HTML iframe results in a list of infected sites. However, in this attack the referenced JavaScript doesn't "exist" until the user accesses the page, and it doesn't persist on the site.
"We don't know how many hosts are infected," said Landesman. "An admin perusing the site looking for these rogue JavaScript files [on a host server] would not find any visible signs."
ScanSafe advised concerned businesses to inform users of the attack, and said that one possible workaround was to encourage users to disable JavaScript in web browsers, even though this would severely limit web functionality.
Another alternative is for users to scan search results using free tools such as ScanSafe's Scandoo beta, the company said.
