Another Major Web Threat : Nine-Ball Compromises More Than 40,000 Legitimate Websites

Posted on June 21, 2009. Filed under: News, Security, Web | Tags: , , , , , , |

        Just as we were getting ready to declare victory over Conficker (and settling in for a long battle with Gumblar), along comes Nine-Ball, another difficult-to-defeat offensive that hijacks Web sites and tries to load malware onto a user’s PC. The worm has a trick up its sleeve, repeat visitors to infected sites are dumped to, a sneaky move that prevents security experts and investigators from being able to discover too much about the host of the malware.

What is Nine-Ball?

     Nine-Ball is a multi-layered Web browser attack targeting legitimate Web sites to redirect users to malicious sites owned by the attacker. The downloaded malware attempts to infect user’s computer through a number of exploits including Adobe Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy.

     The attack name "Nine Ball" refers to the name of the final landing page which is full of malicious drive-by exploits that are automatically downloaded to computers without user’s consent or knowledge. Once infected, anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, passwords or other sensitive data.

How does the threat work?

1. Victim visits legitimate infected site.

2. Victim is redirected to a series of different sites owned by attacker.

3. The final redirect is to a malicious drive-by download site, which attempts to download malware to victim’s computer through a number of exploits including MDAC, AOL SuperBuddy, Adobe Reader, and QuickTime exploits.

4. The malicious programs typically attempt to steal information from the victim via a keystroke logger.


5. Once a user has already visited the malicious web page, these repeat visitors are re-directed to the search engine site We assume this design is a technique to evade investigation.

       According to Internet security firm Websense , Nine Ball has already compromised over 40,000 Web sites.

      There is currently no sure-fire way to protect yourself from or clean up an infection by Nine-Ball (except reinstalling Windows). All you can do is to make sure that all your software packages, including those targeted by the attack, are up-to-date, and to install the appropriate security software.

For More Visit Here and here



Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: