January 14, 2008, 3:22 PM — A sophisticated hacking scheme seen early last year is affecting an increasing
number of Web servers, including one owned by a major online advertising company,
the chief technology officer of Finjan
Software said Monday.
It appears that a single gang is behind the attacks, since the malicious software
it spreads is storing login and password details on one server in Spain, said
Yuval Ben-Itzhak. Finjan is trying to get the ISP (Internet service provider)
to shut it down, he said.
A Web server of an online advertising company that serves 14 million banner
ads to other Web sites has also been hacked, Ben-Itzhak said. That means that
the PC of anyone who visits a legitimate site hosting a malicious banner ad
could potentially be infected if their computer isn't patched, he said.
"You can imagine the magnitude," Ben-Itzhak said.
Ben-Itzhak declined to identify the company, but said Finjan contacted it last
week about the problem. At least 10,000 other Web sites were serving up malicious
code in December, although Finjan stopped counting, Ben-Itzhak said.
The latest problems show that the power of this particular hacking gang appears
to be growing since it was identified early last year. At that time, Finjan
said it found a number of Web servers that had been hacked in order to serve
malicious code to visitors. The attackers used several methods to hide their
tracks and infect a maximum number of PCs.
served up once to a PC, which helps avoid repeated tests by security scanning
Further, hackers also record the IP (Internet Protocol) addresses of crawlers
used by search engines and reputation services, which evaluate the risk in visiting
certain Web sites. Those page requests are then served with legitimate content.
it more difficult to detect with security software, Finjan said. Once hacked,
a Web server hosting hundreds of Web sites will serve up the attack code.
The code looks for at least 13 software vulnerabilities in order to place a
Trojan horse program on the PC.
The hackers also regularly change the vulnerabilities that the attack looks
for in order to increase the chances a computer can become infected, Ben-Itzhak
said. After the PC is infected, the malware can start collecting data on the
machine, such as documents and passwords. Finjan has dubbed the attack "random