Beladen Loads Hacked Web Sites With Badness
At least 40,000 Web sites recently were hacked and retrofitted with instructions that silently attempt to infest visitor PCs with malicious software, security experts warn.
Internet security firm Websense has dubbed this series of attacks "Beladen," because the infected sites divert visitors to a site called beladen.net -- one of at least two exploit domains implicated in this attack (this domain actively serves malicious software, so please do not visit it).
Each hacked site redirects to Web sites that bombard the visitor's PC with about 20 different Web browser vulnerabilities and browser plug-in attacks, targeting older, insecure versions of several third-party applications like QuickTime and Winzip. In fact, the word "Beladen" translates to "loaded" in German.
"That's appropriate because these hacked sites are absolutely loaded with almost every single exploit you can find publicly available right now," Chenette said.
This latest mass Web site hack is thought to be separate from a similar recent incident referred to as "Gumblar," so named because an estimated 60,000 domains hijacked over several weeks redirected visitors to a malware-serving Web site named Gumblar.cn, among others.
If you were to visit one of these sites hacked with the Beladen code, you probably wouldn't notice anything amiss. In the background, though, malicious code inserted into the site would force your browser to invisibly contact google-analyt1cs.net (please don't visit this site either), which checks the name of the referring Web site, records the date and time stamp of the visit, and then forwards the victim on to the Beladen site, which then silently attempts to exploit a series of browser vulnerabilities.
Most people are familiar with the term "botnet," used to describe a large collection of hacked PCs typically used to relay junk e-mail. This type of attack is probably best thought of in those terms: "a botnet of compromised Web sites," to quote Mary Landesman from ScanSafe.
Chenette said the fake google-analytics site implicated in the attack was previously hosted in the stable of Internet addresses once controlled by the Russian Business Network, an infamous Web hosting group out of St. Petersburg, Russia, that was dispersed after media attention in late 2007.
"Some people are under the belief now that the RBN might be back at work and may be the group responsible for this particular mass injection attack," Chenette said.
If you operate a Web site and notice some funny code on your site -- it probably looks a lot like the code in the screen shot below (from a confirmed, hacked site) your site has in all likelihood been hacked. The code from this attack appears to have been inserted after the closing