Websites Slow to Clean Up Malware Infection

Security company Finjan recently proclaimed that it detected over 1,000 different Website domains had been compromised during the first two weeks of June by a known malware toolkit, "Asprox," which has been around for over a year (according to Symantec). 

"… a new round of mass Web attacks has started during May 2008. Hackers successfully compromised a large number of government and top businesses websites worldwide to infect visitors with malware. The attack toolkit being used (which is aliased as "Asprox") has been around for [a] few years; however, during the last year we have noticed a rise in the number of attacks using it. The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag."

Finjan states that the compromised domains reference back to over 160 domains that serve the malware, and that the number of these "malware serving domains increases every day." According to Finjin, compromised sites included (San Francisco's official site), (the U.K.'s National Health Service), (Snapple's official site), (University of California's official site), and (the Baltimore Times).

Credit: Finjan (click on the image above to see a larger version of the image)

According to Finjan, at least some of these sites have finally been rid of the malware as of the last few days. Although, oddly, as we were writing this story, we discovered that the Baltmore Times site ( was down. We are uncertain if this is related to the malware infection or just a coincidence.

Finjan is not necessarily trying to alert the online world that that this malware toolkit it out there potentially compromising servers and systems--word started to spread about Asprox's resurgence back in May. The alarm bell that Finjan is ringing is that even though this has been known about since May, there are still infected sites out there that haven't been cleaned up yet.

In addition to predominant Websites being compromised, Finjan also found that ad networks were serving infected ads:

"Among the many websites that were compromised, we also found various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks that we found was, which Microsoft plans to acquire as part of Microsoft's Advertiser and Publisher Solutions Group."

Security company SecureWorks describes Asprox as a component of a Trojan called "Danmec":

"Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails."

Interestingly, Symantec classifies both Danmec and Asprox as "Risk Level 1: Very Low." Symantec reports that Danmec was was first discovered in November 2005, and Asprox was discovered in June 2007.

It appears that there is no consensus on exactly how dangerous Asprox is. But if you are like us, no matter how benign a piece of malware may be, we still don't want it on our systems. As users, we can try to take precautions on our computers, such as running security software with the latest definition updates and patches. But when Website managers don't take the necessary precautions themselves to keep their servers from getting infected--even after knowing about the issue for a month--then they have no excuse. 
Tags:  Malware, Websites, Web, Website, ECT, bsi, EA, AR