Nine Ball - Security Threat

This text is taken from the Zone Alarm folks so of course they will push to buy or upgrade their products.  A good router and up to date security software are a must, but still may not be enough to stop every threat.  I recently worked on a system that had the Gumblar threat on it and the only recourse was to wipe out the system and start over from scratch. Nine Ball.

Nine Ball
What is it?
Nine Ball is a multi-layered Web browser attack targeting legitimate Web sites to redirect users to malicious sites owned by the attacker. The downloaded malware attempts to infect user's computer through a number of exploits including Adobe Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy.
The attack name "Nine Ball" refers to the name of the final landing page which is full of malicious drive-by exploits that are automatically downloaded to computers without user's consent or knowledge. Once infected, anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, passwords or other sensitive data.
How does the threat work?
  1. Victim visits legitimate infected site.
  2. Victim is redirected to a series of different sites owned by attacker.
  3. The final redirect is to a malicious drive-by download site, which attempts to download malware to victim's computer through a number of exploits including MDAC, AOL SuperBuddy, Adobe Reader, and QuickTime exploits.
  4. The malicious programs typically attempt to steal information from the victim via a keystroke logger.
  5. Once a user has already visited the malicious web page, these repeat visitors are re-directed to the search engine site We assume this design is a technique to evade investigation.
Associated effects & implications of attack:
  • Over 40,000 legitimate web sites have been compromised.
  • Multi-level redirection attack---victims are redirected to a series of different sites owned by attacker. Final site contains the malicious drive-by download and records visitors IP address.
  • Detection by antivirus/antispyware programs is very low because attack uses random number generation to determine which malware to download, evading an obvious pattern that can be picked up by signature-based antivirus detection systems.
  • Malicious programs typically attempt to steal information from victim via a keystroke logger. This information could potentially be used for financial or identity theft.
Are there other variances of this vulnerability/threat?
Yes, in the sense that the malware downloaded at the final redirect site varies. It appears that among other malware, a waledac variant is delivered at the final redirect URL.