Beladen Loads Hacked Web Sites With Badness

At least 40,000 Web sites recently were hacked and retrofitted with instructions that silently attempt to infest visitor PCs with malicious software, security experts warn.

Internet security firm Websense has dubbed this series of attacks "Beladen," because the infected sites divert visitors to a site called beladen.net -- one of at least two exploit domains implicated in this attack (this domain actively serves malicious software, so please do not visit it).

Stephan Chenette, a senior security researcher at Websense, said the company is not sure how the attackers are breaking into the hacked sites, and that it is still in the process of determining what the malware installed on victim's PCs actually does. However, each hacked Web page shares the same blob of obfuscated Javascript code, which is appended to the bottom of the hacked page's HTML.

Each hacked site redirects to Web sites that bombard the visitor's PC with about 20 different Web browser vulnerabilities and browser plug-in attacks, targeting older, insecure versions of several third-party applications like QuickTime and Winzip. In fact, the word "Beladen" translates to "loaded" in German.

"That's appropriate because these hacked sites are absolutely loaded with almost every single exploit you can find publicly available right now," Chenette said.

This latest mass Web site hack is thought to be separate from a similar recent incident referred to as "Gumblar," so named because an estimated 60,000 domains hijacked over several weeks redirected visitors to a malware-serving Web site named Gumblar.cn, among others.

If you were to visit one of these sites hacked with the Beladen code, you probably wouldn't notice anything amiss. In the background, though, malicious code inserted into the site would force your browser to invisibly contact google-analyt1cs.net (please don't visit this site either), which checks the name of the referring Web site, records the date and time stamp of the visit, and then forwards the victim on to the Beladen site, which then silently attempts to exploit a series of browser vulnerabilities.

Most people are familiar with the term "botnet," used to describe a large collection of hacked PCs typically used to relay junk e-mail. This type of attack is probably best thought of in those terms: "a botnet of compromised Web sites," to quote Mary Landesman from ScanSafe.

Chenette said the fake google-analytics site implicated in the attack was previously hosted in the stable of Internet addresses once controlled by the Russian Business Network, an infamous Web hosting group out of St. Petersburg, Russia, that was dispersed after media attention in late 2007.

"Some people are under the belief now that the RBN might be back at work and may be the group responsible for this particular mass injection attack," Chenette said.

If you operate a Web site and notice some funny code on your site -- it probably looks a lot like the code in the screen shot below (from a confirmed, hacked site) your site has in all likelihood been hacked. The code from this attack appears to have been inserted after the closing tag.

It may not be enough to just remove the offending code. If previous, similar attacks -- like the Gumblar mass compromise -- are any indicator, the attackers may have added the code or other malicious code to multiple scripts and pages for each hacked site. It's a good idea to restore your site with known good backups to be safe. Also, there is a decent likelihood that the vector for this attack was compromised FTP credentials, so if your site was hacked you may also want to change your FTP password from a known, clean computer.

There probably are other important, useful details about this attack or cleanup tips that I've left out. Please feel free to let us all know in the comments section below.

By Brian Krebs | June 2, 2009; 8:04 AM ET
Categories: Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0 | Tags: beladen, gumblar, websense
Save & Share: Previous: Microsoft Warns of Attacks on Unpatched Windows Flaw
Next: Security Updates for iTunes, QuickTime

Comments

Good to know about that stuff and those tips are valid.

Separately, this got me thinking about the various services that "validate" that a site is secure, malware-free, etc. Are their "certifications" worth their logos' pixels on my screen? If so, how do they go about validating or, better yet, guaranteeing that their client's site won't try any funny business with my browser, plug-ins or OS of choice?

Posted by: CB12 | June 2, 2009 10:42 AM | Report abuse

CB12,

A "certified" logo is worthless, if the server or packages installed on the server have been compromised by malicious individual(s). A logo isn't going to stop weak passwords or an exploit from being abused.

Think of it this way - putting stickers on your car, doesn't make your car safer.

This attack uses javascript - browse with Firefox/NoScript enabled.

Posted by: redaudit | June 2, 2009 5:52 PM | Report abuse

Can I visit these sites without risking infection if I use a limited user account on Mac OS 10.4.11?

Posted by: Garak | June 4, 2009 2:18 PM | Report abuse

It's June 4, 2009 and yes this is happening. I have two websites hosted at www.pappashop.com and they have about 24 servers. Not sure how many of the servers got hacked but my two sites as well as the blogs on those sites got hacked. I browsed other sites that are hosted with them and found many more showing trouble. It has been several hours now and my guess is they will be working all night long trying to get things fixed. The code is appearing on the sites but I haven't found any sites that are redirecting anywhere else.

Posted by: dgorenflo | June 5, 2009 2:24 AM | Report abuse

beladen.net WAS what I term a DNSWCD (DNS WildCard Domain). Example: MalwareDomainList had the following name in their block lists:

2b0a74.beladen.net

The first six characters are actually a hexadecimal value that was used to track where you were coming from. Since it was a DNSWCD though, it was easy to just change your six hexadecimal code if somebody blocked them in a hosts file and they would be back in business. They have about 16 million to choose from. Since even a DNS lookup of blah.beladen.net would yield an IP address I WAS going to add the domain in our PAC filter which would have blocked all of them, known and unknown. But they seemed to have vanished. Well, they no longer use that domain name. But just blocking the known names doesn't work very well. For these our PAC filter or an additional rule in AdBlockPlus in Firefox work well. I wonder what new domain NAMES they are using? Thanks for the tip - I will be looking for their JavaScript code since it is very distinctive. I suspect that they actually have more than one domain now to handle stuff.

Oh, Garak you are perfectly safe from an infection by Windows malware on Mac OS-X. Now there are those toolbars that when you uninstall them leave their resident JavaScript code chit-chatting with their servers about where you go and what you do as long as the browser is running. Yes, they tell you that it will do that. They also leave a very messed up prefs.js file in Firefox. So backup your $HOME browser data folders. If they ever get hosed, remove the altered ones and replace them with your old safe backup. Every so often make a new safe backup. That is usually all you ever need to do with Unix or Unix-like systems to undo the damage. But in time there will be exploits that put machine specific binaries in place since your browser is very helpful in indicating what you have. If they can do it by just running the binaries as you as opposed to the system they will do that as long as it works - out of sight out of mind. The question is - is it worth their time? They do this to make money.

Posted by: hhhobbit | June 5, 2009 2:40 AM | Report abuse

The comments to this entry are closed.

Network News

Beladen Loads Hacked Web Sites With Badness