Major Sites Fall Victim to Web Hijack

Security company Finjan today reported it has found more than 1,000 sites infected by an attack toolkit called "Asprox," which exploits discovered flaws in a vulnerable site's programming to add hidden attack code.  The attack code in turn searches for flaws on a browser's PC, and if any such holes are found it will download malware onto the computer.

I wasn't struck by the number - these days, 1,000 sites unfortunately isn't that many - so much as by the list of sites that Finjan says were hacked.  My own city's site, which I've visited many times to pay parking tickets and the like, was nailed (though it's now clean).  Snapple took a hit, as did the National Health Service in the UK and a wide range of other sites.

As with a previous SQL injection round I wrote about in May, you can check to see if your site has been infected by running a Google search.  Before you do, let me repeat a warning I wrote then:

IMPORTANT:  DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

This time around, you'll need to run these three different searches, as the attack is inserting different code into different sites.  In each case, substitute your site's domain (ie. Pcworld.com) for "domain."

site:yourdomain "b.js"

site:yourdomain "ngg.js"

site:yourdomain "fgg.js"

When I ran those searches just now I turned up plenty of still-infected sites, so again, be extremely careful about visiting any of them. If your site turns up in search results, contact your IT department or hosting provider immediately.

Whether or not your site turns up, it's also a good idea to run the free Scrawlr tool  from HP, which can check your site for the kind of vulnerabilities exploited by a SQL injection attack.  It's quick and easy to download and run.

Also, for your own computer's safety, it's critical to keep all your software - not just the browsers and the OS - up-to-date with patches. Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy as well as Windows.

For more on the assault, see Finjan's blog posting.