Neowin web site compromised - visitors at risk from malware infection via iframe attack
If you have visited Neowin over the past couple of days, and are running IE6 or earlier without antivirus or antispyware protection, or if your antivirus or antivirus protection is out of date, or you are running your Web browser (any version) with lowered security settings, I strongly advise that you check your system for possible infection by malware.
I was surprised to see an email a short while ago on a private anti-spyware mailing list from Mike Burgess of MVP HOSTS FILE fame asking if anybody on the list had direct contacts at Neowin net because he had discovered that the neowin site had been hacked and an iframe exploit embedded in neowin pages that tried to infect visitors with a new java byte-verify and/or general java trojan downloader.
Here is what Mike saw when he visited the forum index page that was his first warning that something was amiss:
I couldn't reproduce the problem at the time of writing this article, so hopefully the site has been cleaned up, and I did find a couple of discussion threads confirming Mike's findings - that pages at neowin had been compromised and attempts were being made to infect visitor's machines using an iframe:
FAO Moderators - Virus warning
From what I can see in the threads discussing the problem, the hacking may have been restricted to pages displayed using the default blue theme, and that it was there for quite a few hours.
When I popped over to Neowin to check out the current situation and to see if I should try and get a hold of the guys behind the forum, there were nearly 1600 visitors currently viewing the site - I shudder to think how many visitors passed through the site while it was a danger. And yes, after reading through the threads above, it was obvious that the forum owners and moderators knew of the hacking and were fighting it.
We have no way of knowing how many users were potentially exposed to malware, or how many systems were infected, and Neowin is certainly not the first site to be compromised, nor will it be the last. It wasn't that long ago we had a site shut down because the site owners did not act fast enough to clean up their network (http://msmvps.com/blogs/spywaresucks/archive/2006/10/22/196321.aspx).
My personal belief is that when a Web site hacking is discovered, and visitors have been at risk of infection, that the site should be taken down immediately and after the site has been cleaned up and allowed back on the air an alert should be posted on all entry pages to that site, warning about what has happened and advising users to have their systems checked for infection. This is because victims are no longer facing just the embarrassment of their PC sending out "please open this attachment" virus to everybody in their addressbook - the stakes are far higher.
Just some of the end results for infected systems include that they could be hijacked and used to send hundreds of thousands of spam messages, they could be added to botnets and used for internet based attacks, and personal and private and financially sensitive information can potentially be put at risk. If the computer you are using is in a work environment, or you are around kids, I have just two words for you - "Julie Amero". If the bad guys get into your system thanks to malware, and use it to store p0rn or upload a p0rn site on to it or use your machine to distribute porn or other illegal content or if your machine to infect even more systems, and you find yourself faced with a visit from the local police force, you will be in a hell of a lot of trouble. The same applies if your system is compromised and used as a phishing host, or a mule site host.
So, in short, if you know your site has been hacked, please do all you can to warn all visitors to the site. Yes, it is embarrassing, but a short term embarrassment is far better than leaving your visitors to discover for themselves that they have been infected.
The problem of hacked Web sites is becoming so widespread that strong action is required when infection is discovered. The owners must act fast, and if not the owners, the ISPs that host the sites. Sadly, though, some site owners and ISPs are not responsive when told of problems, and some now say that a "name and shame" campaign along the lines of "do not go to these Web sites because they have been hacked" and "do not go to sites hosted by this ISP because they refuse to assist with cleanups when hacked sites they host are reported" is needed.
Remember, it is no longer enough to say "I never go to p0rn or warez sites, and I never download freeware, therefore I am safe". You are no longer safe if you stick to "safe" sites. We all believed Neowin is a safe site, yes? We all believed sites owned by Circuit City, and HP, and Asus, and spreadfirefox, and msblog, and debian, and sites owned by Capital City Bank, Wakulla Bank and Premier Bank were safe, and that the Google Video email group and myspace were safe (well maybe not myspace). All of them have put visitors at risk, whether it be from hacked pages with hostile code injected, or downloads that are infected with viruses, or by hiding the fact of a security incident behind a veil of secrecy making it impossible for visitors to judge what risk they may or may not have been exposed to - better to acknowledge a security incident, reassure your visitors and let *them* decide what checks they want to make, than to try to hide the fact that an incident occurred - keep people in the dark and they're gonna assume the worst(edit=italics)
You can never be sure that a site you are visiting is "safe". Therefore please.. if you are using IE upgrade to IE7 if possible. If you are using Firefox, or Opera or any other browser of choice, please, check for security patches and install the latest version of your browser of choice. And if you have been to Neowin in the past day or so, check your system carefully for signs of infection.