So another reason to keep the NoScript visors up, and another reason to thank Giorgi Maone for developing this firefox extension.
The number of websites that has been hacked in the "Beladen" attack
re:
http://securitylabs.websense.com/conten ... /3408.aspx &
http://blog.scansafe.com/journal/2009/6 ... et-qa.html
now has risen from 20.000 to 40.000.
This according to security vendor Websense.
More than likely attackers through stolen FTP-passwords found access to websites,
also SQL-injected brute-force attacks on web-servers form an option, re:
http://bt.uptime.cz/apache/apache_attack_EN.pdf
According to websense's Carl Leonard mainly vulnerabilities in both Internet Explorer and
Firefox browsers were being exploited, but also attacks against Adobe Reader, QuickTime and WinZip are being launched, re:
http://www.computerworld.com/action/art ... src=kc_top
Despite of the recent growing number the beladen attacks are rather small as compared to the ongoing Gumblar attacks. According to ScanSafe the number of beladen hacked sites would only total a couple of thousand sites:
http://www.scmagazineuk.com/Claims-made ... le/137904/
Re: '"Beladen" new attack on the block'
« Reply #7 on: June 04, 2009, 01:07:23 PM »
Here some further info:
block *.beladen.net
Mass compromises are certainly nothing new. They regularly take place,
because attackers commonly use server-side vulnerabilities in an automated way
to infiltrate legitimate Web sites and inject them with malicious code.
The challenge in these kinds of attacks, from a security firm perspective,
is to recognize malicious patterns in legitimate Web sites (they're usually obfuscated),
and then research the exploit sites those attacks lead to. Read more here:
Beladen.net is full of various attacks and after a successful exploitation,
a malicious file will be run on the infected computer.
The exploit also uses the ‘typo-squatter’ domain with a similar name to
the legitimate Google Analytics domain (google-analytics.com),
redirecting users to beladen.net.
Beladen also had a low anti-virus detection rate.
At the time the attack was first reported,
only four out of 40 anti-virus vendors had reported the threat.
Also known now as Cruzer.D
He also said that if an exploit didn’t work on a machine,
the attack would also try to download rogue anti-virus software,
in order to dupe users in downloading a trojan.
securitylabs.websense.com/content/Blogs/3408.aspx
Due to some manipulation of the dns process beladen.net makes
everytime new subdomains and referral dns servers.
Trying to block each of them can't be done.
So look at these example and just block anything connected to it
[EDITED by luntrus for security reasons]:
when the problem comes up you're redirected to 7914421.beladen.n*t
and after that you've redirected to hxtp://scan4top.com/22/?uid=keyin that disguise like ...
wxw.vbulletin.com/forum/showthread.php?p=1735111 - 97k -
I spotted this last night, e.g.: h x t p://0e6047.beladen.net/t/m1002z188371.html
appeared down left and redirecting to h x t p://scan4note.com/22/?uid= ...
wxw.hondenforum.nl/phpBB2/viewtopic.php?p=3378096&sid=
Próba wlamania do mojego komputera podjeta przez tzvx.beladen.n*t
Tried to connect to my computer etc.:
(91.207.61.40,80) 30.04.2009 00:08:16 zostala zablokowana. ... (was blocked)
f*lieton102.bloog.pl/kat,0,m,4,r,2009,index.html
luntrus