Criminals spread Windows exploit via Web host

Attackers exploited the zero-day VML vulnerability on Windows-based machines by targeting a separate hole in cpanel, an application that's popular with Web hosting services.

The attack, which lasted from late Thursday to Saturday afternoon, used a zero-day vulnerability in cpanel to access the servers of HostGator, a Boca Raton, Florida, company that hosts about 600,000 domain addresses, and three other Web hosting companies, according to Brent Oxley, the owner of HostGator. The attackers then planted an iframe script in Web sites that directed some visitors to malicious addresses that would infect them.

The VML hole, and other zero-day vulnerabilities like it, represent a golden opportunity for criminals by allowing them to install spyware and other malware of their choosing on large number of machines. But finding a way to lure victims to sites carrying the infected payload remains a key challenge. Criminals involved in this weekend's attack solved that problem by using a previously unknown vulnerability in cpanel, the leading software used to manage large numbers of Web sites, to gain access to hundreds or thousands of servers that dish up Web pages.

"That speaks to a significant degree of planning," said Roger Thompson, CTO of Exploit Prevention Labs. "The significant thing is that it was a mass hack with a zero day that worked."

Oxley agreed.

"The person or group that did this is very intelligent, and obviously knows how to plan a big attack," Oxley wrote in a support forum on HostGator's Web site. "Since this exploit could have worked on anyone running cpanel, it had nothing to do with how secure we were." The perpetrators of the attack were most likely operating out of China or Russia, Oxley said in an interview.

Dave Koston, an operations manager at cpanel Inc., said the company patched the hole within an hour of learning about it. An update has been pushed to the vast majority of servers that use cpanel. He said attackers had to have a valid account with each Web host to be able to exploit the vulnerability.

About 200 HostGator servers were accessed, said Oxley, who was unable to estimate the number of Web sites that were affected. Three other Web hosts, including one that is a larger competitor to HostGator, were also attacked, Oxley said, declining to name them.

The attack demonstrates the growing discipline and sophistication of computer attackers. According to Oxley, the attackers used the cpanel flaw to gain entry to HostGator servers more than a month ago, and then lay quietly in wait until last week.

The iframe script also took pains not to call attention to itself, redirecting only visitors using Internet Explorer, the only browser susceptible to the VML vulnerability. Visitors using Mozilla Firefox or other browsers witnessed nothing unusual.

The attack came four days after the discovery of the VML vulnerability, which allows malicious Web sites to gain complete control of Windows-based machines that access the site using IE. About 20,000 sites are attempting to exploit the flaw, according to Eric Sites, vice president of Sunbelt Software, the company that first spotted the vulnerability. One such site installs about 50 pieces of malware, including a password stealer, a backdoor, spam zombies, and commercial adware, he said.