Nine Ball is a recent multi-layered Web browser attack that have already infected approximately 40,000 sites. Nine Ball targets legitimate websites to redirect users to malicious sites owned by the attacker and infects PCs through a number of exploits, including Adobe Reader and Quick Time, and then trying to download Trojans and keylogger code without the user’s consent or knowledge. Once infected, anything the victim types can be monitored and used to commit identity theft, such as credit card numbers, passwords and more.
According to Websense, the compromised website, loaded with malware, will first try to identify a visitor by IP address to discover if it’s a repeat visitor. To evade security researchers and investigators who would likely be among any repeat visitors, the Web page will dump a repeat visitor onto Ask.com.
If a web visitor is new, the victim is pushed through a few more re-directions to land at the site www.nine2rack.in (sometimes a .cn domain), which may sound like a site in India, but is in Ukraine.
The final stop for a Web victim includes a drive-by download attempt after the malware checks for vulnerabilities in the browser, Adobe or Quicktime software on the user’s desktop. If it succeeds, the attack will download a Trojan with a keylogger component that many anti-virus software packages do not yet identify, according to Websense.
There are a number of security failures that can help Nine Ball to compromise so many Web sites, including SQL-injection attacks on susceptible websites as well as bots that have stolen user passwords and logins for administrators of websites.