Comparisons between two mass Javascript injection attacks suggest they may be related, according to a security company. The latest attack has compromised various sites including one United Nations and several UK government sites with links to malicious servers.
On Tuesday Websense reported seeing distinct similarities between attacks staged earlier this month and over the weekend. Specifically, they cite the use of the same tool to execute the attack being resident on the malicious server. Last summer various groups used the MPACK toolkit to propagate a similar series of Javascript injections.
Javascript injections are browser attacks and require no more effort than appending a script tag to the end of the URL. If a legitimate site is vulnerable to script injection, an attacker can add a script tag to the Web-facing page of the site so that subsequent views will automatically download whatever content is within the script tag. Often the script tag contains calls out to a malicious server.
A user need only stumble upon a compromised site to become infected. In this case, when viewing a compromised site, the injected Javascript loads a file named 1,js. The file is located on a malicious server, which then attempts to execute eight different exploits targeting Microsoft applications.
As of Tuesday, two other files named McAfee.htm and Yahoo,php were no longer active.
A quick review by CNET News.com found that travel and academic sites continue to host the injected Javascript code.
(Copyright by CNET Networks, Inc.)