Whilst looking for something completely different I came across our old friend ASPROX See previous diary from Marc
It seems that a lot of the domains used by this are still or again active. Typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address (still up) where a CGI script starts the road of pain.
Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected. Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links.
The high number of infected sites points to a couple of issues.
- Sites are compromised and nobody notices
- Sites that are infected are not cleaned up.
Now the number of infected sites is high, but the sky is not falling, however if you have a spare few minutes do the following google search replacing yoursite with your domain, e.g. sans.org (just cut and paste the whole search).
site:yoursite "script src=http://*/""ngg.js"|"js.js"|"b.js"
If the search returns results, you have some cleaning to do.
I did a quick breakdown of infected sites:
.gov - 238 .com - 474K
.gov.au - 927 .org - 79.9K
.gov.uk - 2,930 .com.au - 19.5K
.gov.cn - 34K .co.uk - 19.3K
.gov.za - 424 .ca - 13.1K
.gov.br - 263
I'll let you know next week if things are getting better or worse.