Massive Malware Hits Media Web Sites

"Every time I load Jpost site, I get nasty red virus notice from my anti-virus program. Anyone else?" tweeted "fayg29" on Tuesday, referring to the Jerusalem Post's website.

Sure enough, the Web sites of the Jerusalem Post, as well as the Wall Street Journal, Servicewomen.org, Intljobs.org, and the Association of Christian Schools International, among other sites, were hacked on Tuesday, resulting in those sites serving malware to viewers.

Security researchers estimated that roughly 7,000 web pages in total were compromised, likely via a SQL injection attack against the Web sites' databases. "What do all these sites have in common? They are all hosted on IIS servers and using ASP.net," said David Dede, head of malware research at Sucuri Security on the company's blog. He said the attack "looks like a SQL injection attack against a third-party ad management script."

SophosLabs virus and spam researcher Paul O Baccas, however, thought it might have been a more direct attack, at least against the Jerusalem Post. "I suspected that the malware was loaded via a compromised advert stream or one of the pop-ups from the site. However, upon further investigation there were the tell-tale signs of hackers at work on the main site."

The attack uses a script that points to "www.robint.us/u.js" and, according to Sophos, first attempts to install two other malicious scripts (Mal/JSShell-B and Troj/ExpJS-N), and then to run an executable file (Mal/Behav-290), which can access the Internet and communicate with a remote server.

Still, the relatively small scope of the attack -- just 7,000 pages -- is actually good news, according to ScanSafe's Mary Landesman. "When SQL injection attacks first went mainstream a few years back, it wasn't uncommon to see a million-plus pages compromised in a single attack," she said on the company's blog. "On the downside, attacks like robint.us are just one of over a thousand unique attacks carried out via the Web each month."