Mass infection as hackers strike

Verashni Pillay & Ilse Arendse

Johannesburg - Web developers all over the world have been scrambling to protect their sites from one of the biggest hacking attempts from one source to date, an information security expert said.

A mysterious hacker group, with an IP address registered in Shanghai, China, hacked up to 354 000 sites on Friday afternoon according to an index by Google, but the number could be a lot higher, said Deloitte security and privacy consultant, Dominic White.

Other media reports said that up to 500 000 websites were affected.

"Google can take up to a week to re-index a site, and they're doing it all the time, so the picture may look very different in a day from now," said White.

The hacking began in early April with an attack on several thousand websites using SQL injection, a technique that exploits a security vulnerability occurring in the database layer of an application.

This has resulted in those websites attempting to infect any visitors to the site with malicious software.

According to White this software, or Trojan, can pilfer credit card information as well as install spyware.

Risk of attack going unnoticed

ICT security expert Dino Covotsos, MD of Telspace, a Johannesburg-based company specialising in managed security services, confirmed the attack.

Covotsos said the attack was prominent, also in South Africa, where a lot of sites were defaced.

He said they got calls from companies saying they were affected, but some didn't even know that they were hit.

Abroad, the UK and US government sites were infected as well as several US university sites.

Anyone visiting a hacked web page will in turn have their computer infected with malicious software due to flaws in older versions of iTunes, Microsoft Windows, AIM or RealPlayer.

When the hacking began early in April several thousand sites were infected. However, it has since restarted again in earnest from a new origin point.

"This software has a very effective strategy, and targets weaknesses in several components of the user's computer," said White.

Army of infected computers

"Once infected, passwords are looked for and sent back to a central computer, additionally these machines are co-opted into an army of infected computers (called a botnet), which the controlling group can use to perform large distributed attacks."

This controlling group is entirely unknown at this stage. While the hacker's IP address is registered in China, White said this doesn't mean they are from there.

"In the last couple of days, these guys have re-grouped and launched a far more ambitious attack which has successfully infected several hundred thousand websites putting any visitors to those websites (a multiple of several hundred thousand) at risk," said White.

Some anti-virus products provide protection, and White said it is important that users update their anti-virus software daily if possible, and download the latest versions of software like iTunes and RealPlayer and apply security patches to their Windows operating system "to ensure the latest protection against rapidly evolving threats such as these, are enabled".

For now the situation seems to be under control - the one website where the malicious code was coming from was blocked, Covotsos told News24.

He added that the worm wasn't written too well because they could see where it was going and what it was doing.

However, Covotsos cautioned that another more potent worm could be unleashed in a few weeks time and that companies should secure their code and fix their servers.

- News24