Digg Facebook Connect Join Digg About
See the original image at networkworld.com

Nine Ball attack strikes 40,000 Web sites

networkworld.com More than 40,000 Web sites have been hit by a mass-compromise attack dubbed Nine Ball that injects malware into pages and redirects victims to a site that will then try to download Trojans and keylogger code, Websense said today.

Who dugg this? Made popular Jun 17, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

61 Comments

show profanity settings
expand all
  • inactive, on 06/17/2009, -4/+45Ya know, one of these days you hackers are gonna piss of the wrong wealthy owner of one of these sites and he is gonna pay some mercs to come and remove your GD fingers. That happens a few times and you get to see one of your hacker buddies that now has a paddle instead of a hand and maybe you will learn about accountability you hide from behind the internet now.

    Don't fool yourselves. If 20/20 can find you, a rich pissed off guy can as well.
  • Swrv, on 06/17/2009, -0/+25I'd chip in a couple of bucks, anybody else?
  • gnixon70, on 06/17/2009, -0/+21Wasn't some Russian spammer gunned down a few years ago? Different situation I know, but still..
  • knohr, on 06/17/2009, -0/+16What website software was compromised?
    I hate these /nearly/ useless articles.
  • Relentl3ss, on 06/17/2009, -5/+21Yes, 'cus obviously all of those 40k websites that were compromised were running windows.

  • Mockylock, on 06/17/2009, -1/+16As opposed to the "2 ball" attack that leaves your chin chaffed.
  • asshankie, on 06/17/2009, -2/+17Buried for BN Mafia spam.
  • JoeHague, on 06/17/2009, -1/+15Because you're not getting redirected to www.nine2rack.in/
  • DirtyVicar, on 06/17/2009, -0/+14mass_media_virus_story.template.doc

    [Virus attack du jour] strikes [number] Web sites

    More than [number] Web sites have been hit by [virus du jour] that injects malware into pages and redirects victims to [a site], [source] said today.

    According to [source], which has tracked [virus du jour] for [some amount of time], the compromised Web site, loaded with malware, will [do some sort of nebulous browser attack].

    “[Blah blah blah,” says [person], manager of security research at [some source]. This type of [nebulous browser attack] is becoming commonplace in Web attacks, he points out.

    [After nebulous browser attack], the victim lands at [site URL], which may sound like a site in [source], but is in Ukraine / Baltimore / China / Russia <--- (pick one), [source] believes. The URL inspired [source] to name the attack method [virus du jour].

  • ubernoggin, on 06/17/2009, -3/+16How do we know Digg isn't one of them?
  • ultraseamus, on 06/17/2009, -0/+12If I made such a virus, and it started getting media attention, my very next target will be any and all sites covering the story. The worse the virus became, the faster it would grow.
  • inactive, on 06/17/2009, -1/+12sounds like money well spent..
  • strictnein, on 06/17/2009, -4/+11I'm really asking this as an honest question: Don't you have anything better to do?
  • ticookie, on 06/17/2009, -6/+13Yeah...I'm on a Mac...that means I can't download any working programs, including this malware...
  • techdever, on 06/17/2009, -3/+10the midget porn 4chan page is down, so he's trolling digg now
  • uknowwhoibe, on 06/17/2009, -0/+6I like the way you think.
  • koan, on 06/17/2009, -0/+5Here is the actual details of the compromise, rather than the Websense advert (albeit this link is at websense!)

    http://securitylabs.websense.com/content/Alerts/34 ...

    It isn't new, it is just another MDAC compromise of a three year old vulnerability.
  • linuxeventually, on 06/17/2009, -0/+5It's based on user reviews -- and these viruses compromise legit sites, so unless someone reports it for you, then you are SOL.
  • Ranzera, on 06/17/2009, -1/+5Presumably the malware from the infected websites would primarily affect windows machines.
  • xelerated, on 06/17/2009, -0/+4No, most of them dont pick it up yet. Plus it morphs. So id recommend winpooch or coreforce, they will
    let you know when your browser is trying to execute something "drive by" style.

  • DirtyVicar, on 06/17/2009, -0/+4Honestly I am astonished that spammer/hack attacks don't cause widespread revenge violence. I'm not sure where the sociological nugget of insight is here, but I'm thinking it's along the lines of the average person having an incredible store of patience when they're victims of a non-personal attack from a nebulous source.
  • InfiniteNothing, on 06/17/2009, -1/+5Because they're not trying to get us to install a widget?
  • gordigor, on 06/17/2009, -2/+5yeah for you!
  • MtheoryX, on 06/18/2009, -0/+3I'm behind 7 proxies!!
  • alwilson, on 06/17/2009, -1/+4These GDMF's are a waste of everyones time and resources.
  • gordigor, on 06/17/2009, -0/+3If these hacks always redirect to some page, can't anyone figure out who 'owns' that page.
  • JoeHague, on 06/17/2009, -0/+3You're not allowed to comment after you read the article/
  • xslick, on 06/17/2009, -1/+4It's not that easy to find who actually owns a domain name, even if the IP address of who ever registered the domain is known. This is especially true for sophisticated hackers or those who just know their way around the internet. The best that happens is this site's url gets around to IT's so it's blacklisted and eventually shut down.
  • thePTS, on 06/17/2009, -1/+3botnet/backdoor proxies should work pretty well for anonymity.
  • dazparkour, on 06/17/2009, -0/+2I got a security alert! HONEST I DIDN'T READ THE ARTICL[No Carrier]
  • wmcewa01, on 06/18/2009, -0/+2Best
    Comment
    Ever
  • vbullinger, on 06/17/2009, -0/+2I had something that this site mentioned a few months back that might provide insight.

    You have to figure out what it's doing to your system. Anti-virus software would scrub it, but then it would replicate itself right away anyway. I figured out what it did, ran anti-virus software, recreated what it did in a non-malicious manner, deleted all the registry keys and was set.

    I know it made an executable or a dll or something. After the anti-virus software deleted it, I copied like IE or something into that directory, renamed it whatever that virus was calling it and then marked it as read-only so it couldn't be overwritten. Stopped the virus dead in its tracks. I did eventually get a trial version of something that did delete all the remnants and worked by itself for someone else that got the same thing a week later.

    Can't remember how I got it to stop hijacking my Google searches, though. Sorry I can't help you with that one. My hard drive crashed recently (died) so I don't have that anti-virus software on my machine anymore so I can't help you with what it's called.
  • johnkemp, on 06/18/2009, -0/+1It'd be god damn hilarious if they were running IIS tho. ***** coming and going.
  • pixelriffic, on 06/17/2009, -1/+2Sorry if this is a duplicate comment, but I use Firefox exclusively now with Noscript to block third party site scripting. I believe it's the safest way to deal with this sort of issue. I guess the advertisers don't care for it, but it's by far the safest (albeit annoying) way to handle it.
  • Sivaram, on 06/18/2009, -0/+1guys is there a way to find that a site is infected or not thru some online scan ? just like a AV scan for PC ?
  • inactive, on 06/17/2009, -0/+1Turkish hacker pwns you
  • dazparkour, on 06/17/2009, -0/+1The amount I am here, I would get sent to ask.com
  • bradleyland, on 06/17/2009, -2/+3Yeah, proxies. That's the answer.
  • Denominator88, on 06/17/2009, -0/+1One of our IT Consulting firm's clients got hit was this this week, as well as a similar attack this week. We have no access to the webserver it resides on, but are changing that as soon as we can (as well as moving them over).
  • inactive, on 06/18/2009, -0/+1porntube.com
  • mikedoth, on 06/17/2009, -2/+3Give it time, they'll hit the Macs soon enough.
  • inactive, on 06/18/2009, -0/+1 it does indeed...They can't get me either.(Linux user.)
  • inactive, on 06/18/2009, -0/+1I did.

    A clients website had been blocked by google.

    I found the script and flowed the redir to a folder on another website.
    The website was in America paid for by a stolen CC number.
    The melware was downloaded and I let it run using VM.
    The url for the trace located the main server back in Russia.
    The server was one of several ran by the russian dicks.
    It used a key logger and a back door. I presume to steal CC and make the computer a drone for anyone who pays the fee.
  • shinkou, on 06/18/2009, -0/+1"You've got balls?"
  • inactive, on 06/18/2009, -0/+1sif
  • ABreeman, on 06/18/2009, -0/+0That's a stupid comparison. He said EXPERIMENT computer so there is nothing important on it. Bunch of know it all morons.
  • inactive, on 06/18/2009, -1/+1 I'm not missing out. Linux has tons of cool software too.
  • Fetching more discussions...
    Show 51 - 64 of 64 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...