NINE BALL in the pocket...

June 2009

“Nine-Ball” mass injection attack compromised 40,000 sites. A new threat dubbed “Nine-Ball” has compromised up to 40,000 legitimate Web sites, which are, in turn, infecting users with an information-stealing trojan, according to security vendor Websense. The attack is called “Nine-Ball” because of the name of the final, malicious landing page, which is loaded with drive-by exploits, that unsuspecting users automatically are redirected to if they visit one of the compromised sites. Ninetoraq.in, the exploit site, contains malicious code that looks for already patched vulnerabilities in Acrobat Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy, which it then attempts to exploit, the manager of security research at Websense, told SCMagazineUS.com on June 17. The flaws have all been patched; some date back to 2006, the manager said. But, the Reader and QuickTime vulnerabilities are newer, making it less likely that users are patched for them. If the malicious code finds an unpatched vulnerability to exploit, it either drops a malicious PDF file or a trojan designed to steal user information, the manager said. All of the exploits currently have low detection rates, he added. The 40,000 legit but compromised Web sites were “sleeping” up until June 15, the manager said. Before then, if a user visited one of them, they were redirected to Ask.com. On June 15, though, the attack updated and users started being redirected to the ninetoraq malicious site.