This post is co-authored with Levi Gundert and Andrew Tsonchev.
Update 2014-03-21: For clarity, the old kernel is a common indicator on the compromised hosts. We are still investigating the vulnerability, and do not yet know what the initial vector is, only that the compromised hosts are similarly ‘old’.
Update 2014-03-22: This post’s focus relates to a malicious redirection campaign driven by unauthorized access to thousands of websites. The observation of affected hosts running Linux kernel 2.6 is anecdotal and in no way reflects a universal condition among all of the compromised websites. Accordingly, we have adjusted the title for clarity. We have not identified the initial exploit vector for the stage zero URIs. It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback.
All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.
The line appended to the .js files takes the form of:
Many of the affected hosts have been identified as compromised and cleaned.
An example response message from a cleaned tier one host.
The speed of spread of this attack has been dramatic, with almost 400 distinct hosts being affected each day on March 17 & 18.
At the time of writing, we have identified in excess of 2700 URLs that have been utilised in this attack. The attackers have subverted existing, legitimate websites to affect unsuspecting users. Security awareness campaigns that train users to be wary of unknown websites may not be effective against trusted websites that become compromised to serve malware. Although users of Cisco’s Cloud Web Security solution are protected from this attack, we observe that approximately 1 in 15 of our clients have had at least one user who has been intercepted attempting to request an affected URL.
The servers affected by the attack are distributed throughout the world, with a particularly high incidence in Germany and USA.
This large scale compromise of an aging operating system highlights the risks posed by leaving such systems in operation. Systems that are unmaintained or unsupported are no longer patched with security updates. When attackers discover a vulnerability in the system, they can exploit it at their whim without fear that it will be remedied. In April 2014, Windows XP will become unsupported. Organisations urgently need to review their use of unsupported systems in operation. Such systems need to be upgraded where possible, or regularly monitored to detect compromise. Organisations should consider their exposure to risks from the use of unsupported systems by partners and suppliers, in addition to the dangers of user interaction with such systems over the internet. Large numbers of vulnerable unpatched systems on the internet are tempting targets for attackers. Such systems can be used as disposable one-shot platforms for launching attacks. This makes it all the more important that aging systems are properly maintained and protected.
Identified tier 0 and tier 1 affected web sites.