Websense’Security Alert
June 2009 by Websense
Websense® Security Labs ThreatSeeker Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
The exploit site is laden with vaious attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.
Websense® Messaging and Websense Web Security customers are protected against this attack.