Researchers Discover New 'Mass Meshing Injection' Attack

There's a new type of malware attack in town, and it could infect websites -- and the users who visit them -- with surprising efficiency, according to researchers.

In a blogpublished yesterday, researchers at application security vendor Armorize offered details on a new large-scale drive-by download type of malware delivery called "mass meshing injection."

Other broad-based attacks, such as mass SQL injection, use a "shotgun" approach and can be traced back to a relatively small number of malicious "redirector" URLs that can be easily blacklisted, notes Wayne Huang, CTO at Armorize. While they have proved to be an effective method for deploying malware, they also are relatively easy to defend.

In mass meshing, however, "every infected website contains a redirector script in the root directory; in this case it is sidename.js," Armorize states. "This is an obfuscated script that will dynamically generate an iframe to the exploit server.

Under the new exploit, every infected website is injected, in its pages, with a tag pointing to another random infected website's sidename.js, Armorize says.

"The end result is, aside from the infected webpages, there is no more statically injected 'malicious redirector' that security vendors can detect," Armorize warns. "Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prone to false alerts." So far, the name of the redirector file is still fixed--sidename.js--making it possible to recognize as a signature, the researchers note.

"If in the future, this changes to a dynamically generated name, detection will be made even more difficult," Armorize says.

"The Sidename attack is interesting in that it shares some characteristics in common with the Gumblar attack that infected over 80,000 websites in April 2009," says Neil Daswani, CTO of Dasient, a malware monitoring service provider. "But Sidename improves upon Gumblar.

"Like Gumblar, Sidename spreads via FTP and injects dynamically generated malicious code into new websites that it infects," Daswani observes. "Improving upon Gumblar, Sidename uses legitimate sites that have been infected to host malicious code that helps serve drive-by downloads on other sites. A legitimate site infected by Sidename then also becomes dependent upon other infected, legitimate websites to serve its drive-by-downloads. When some of the websites get cleaned up, the drive-by-downloads will stop working on other infected sites."

Huang recommends that enterprises defend themselves by using malware-monitoring tools, upgrading their third-party applications (particularly open-source apps) to the most current version, and using encrypted protocols on the Web and in FTP.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.