Researchers Discover New Mass Meshing Injection Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Researchers Discover New Mass Meshing Injection Attack


Emerging exploit is much more efficient than mass SQL injections, Armorize researchers say



Theres a new type of malware attack in town, and it could infect websites -- and the users who visit them -- with surprising efficiency, according to researchers.
In a
blog
published yesterday, researchers at application security vendor Armorize offered details on a new large-scale drive-by download type of malware delivery called mass meshing injection.
Other broad-based attacks, such as mass SQL injection, use a shotgun approach and can be traced back to a relatively small number of malicious redirector URLs that can be easily blacklisted, notes Wayne Huang, CTO at Armorize. While they have proved to be an effective method for deploying malware, they also are relatively easy to defend.
In mass meshing, however, every infected website contains a redirector script in the root directory; in this case it is sidename.js, Armorize states. This is an obfuscated script that will dynamically generate an iframe to the exploit server.
Under the new exploit, every infected website is injected, in its pages, with a tag pointing to another random infected websites sidename.js, Armorize says.
The end result is, aside from the infected webpages, there is no more statically injected malicious redirector that security vendors can detect, Armorize warns. Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prone to false alerts. So far, the name of the redirector file is still fixed--sidename.js--making it possible to recognize as a signature, the researchers note.
If in the future, this changes to a dynamically generated name, detection will be made even more difficult, Armorize says.
The Sidename attack is interesting in that it shares some characteristics in common with the Gumblar attack that infected over 80,000 websites in April 2009, says Neil Daswani, CTO of Dasient, a malware monitoring service provider. But Sidename improves upon Gumblar.
Like Gumblar, Sidename spreads via FTP and injects dynamically generated malicious code into new websites that it infects, Daswani observes. Improving upon Gumblar, Sidename uses legitimate sites that have been infected to host malicious code that helps serve drive-by downloads on other sites. A legitimate site infected by Sidename then also becomes dependent upon other infected, legitimate websites to serve its drive-by-downloads. When some of the websites get cleaned up, the drive-by-downloads will stop working on other infected sites.
Huang recommends that enterprises defend themselves by using malware-monitoring tools, upgrading their third-party applications (particularly open-source apps) to the most current version, and using encrypted protocols on the Web and in FTP.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Discover New Mass Meshing Injection Attack