Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Cisco: Outdated Linux Kernels Used in Recent Malware Attack

By - Source: Toms IT Pro

Web servers, possibly running an outdated version of the Linux kernel, have been identified as the target of a malicious redirection campaign that, according to a Cisco blog post, continues to compromise websites and plague the Internet.

According to Martin Lee, the technical lead of Threat Intelligence for Cisco, the redirection campaign has been "speedy", affecting hundreds of websites. The attackers are compromising legitimate websites by inserting JavaScript code that redirects visitors to other compromised websites, according to Lee. The attack has been dramatic with an estimated 400 distinct hosts affected each day on March 17 and March 18, according to Lee. 

"At the time of writing, we have identified in excess of 2700 URLs that have been utilised in this attack. The attackers have subverted existing, legitimate websites to affect unsuspecting users. Security awareness campaigns that train users to be wary of unknown websites may not be effective against trusted websites that become compromised to serve malware. Although users of Cisco's Cloud Web Security solution are protected from this attack, we observe that approximately 1 in 15 of our clients have had at least one user who has been intercepted attempting to request an affected URL," Lee wrote.

The attacks are global with a high incidence in Germany and USA, he added.

The attack happens in multiple stages, according to Lee. Once a user goes to a compromised site, a line of Javascript is inserted which is then run and causes the visitor's browser to load multiple advertisements that generate revenue for the attacker. Additionally, Lee also indicated that there was some evidence that visitors could be infected with Trojan malware as part of the final step.

"AV products may detect the JavaScript redirect as being similar to that previously used in the Blackhole exploit kit. However, we have no evidence to suggest that this campaign is related to Blackhole rather than an example of code reuse," wrote Lee.

The blog entry by Lee has been modified to indicate that some hosts running Linux kernel 2.6 have been identified as being compromised but that the initial exploit vector has not been identified so it cannot be stated with any certainty that the Linux kernel 2.6 is the root cause of the problem. What was known as of Saturday was that the problem continues to exist.

Although the authors of the blog took some heat from the community, the advice Lee provided is still sound. Unsupported systems should at least be monitored or upgraded where possible to avoid exposure to security exploits that will never be fixed.