Subscribe

BusinessWeek gets hit


Johannesburg, 19 Sep 2008

The BusinessWeek Web site has been attacked by hackers in an attempt to infect its readership with malware, experts at IT security and control firm Sophos have discovered.

Hundreds of Web pages in a section of BusinessWeek's Web site, which offers information about where MBA students might find future employers, have been affected. According to Sophos, hackers used an SQL injection attack - where vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian Web server.

"While it is concerning when any site suffers a malicious SQL injection attack, the stakes are even higher when it is one of the 1 000 busiest Web sites on the Internet," says Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.

"A potentially large number of people visiting the site and accessing information may be putting their finances or personal data at risk if they are not properly protected."

Down but not out

At the time of writing, the code injected into BusinessWeek's Web site points to a Russian Web site that is currently down and not delivering further malicious code. However, it could be revived at any time, infecting hundreds of MBA students looking for high-earning jobs. Sophos informed BusinessWeek of the infection last week, although at the time of writing, the hackers' scripts are still present and active on their site.

"Companies hit by SQL injection attacks need to move fast to not only remove the malicious scripts, but also to ensure they do not get infected again. Companies with Web sites that have been struck by such an attack often clean-up their database, only to be infected again a few hours later," says Myroff.

Anyone who browses the Web needs to ensure the pages they visit are being scanned for dangerous code, as more and more sites are being discovered each day hosting malware.

Other threats

This week's line-up of low to medium prevalence threats includes Mal/Basine-A, which is demonstrating malicious behaviour on Windows machines. It installs itself in the registry.

Troj/Scrods-Gen, a family of Trojans for the Windows platform, has also been noted.

Members of Troj/Scrods-Gen usually attempt to download and execute files from remote locations, and may attempt to copy itself to the Windows folder, often with the filename csrss.scr. It sets a number of registry entries and is also occurring under the alias of TR/Crypt.FKM.Gen.

The Troj/Delf-FBD Trojan is currently affecting Windows users, and has a number of aliases, including:

* Win32/TrojanDownloader.Delf.OGZ
* Generic Downloader.x
* Trojan.Win32.Small.xut

It installs itself in the registry and includes functionality to access the Internet and communicate with a remote server via HTTP. When first run, Troj/Delf-FBD copies itself to <User>\Application Data\Adobe\Manager.exe.

Troj/FakeAle-HL, another Windows-based Trojan, drops more malware and installs itself in the registry. It has functionality to access the Internet and communicate with a remote server via HTTP.

The W32/Autoit-V Worm has also been detected.

"The latest BusinessWeek attack should alert all businesses to the importance of ensuring their Web sites are fully protected against attacks, and that all vulnerabilities are patched," Myroff adds.

Share

Editorial contacts