zveloLABS™ has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 zvelo has seen over 6,000 compromised URLs with a similar pattern.
And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.
The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including a recent exploit of the ActiveX streaming video control.
In some cases, such as when zvelo researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:
In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.
zveloLABS™ notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.
zvelo will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.