In the previous month the World Wide Web was subject to one of the heaviest attacks since it first came into existence. Thousands of legitimate websites were attacked by the Trojan horses JS:Redirector-H and JS:Redirector-J, the aim of which was to infect millions of unsuspecting users. avast! was the first antivirus program to detect the infection right at the start and all users of avast! were protected throughout the duration of the attack. Now, more than a month after the attack was first detected, it is possible to assess the attack.
The timeline of the attack can be divided into three phases:
- (28.4.2009-5.5.2009) - This phase begins on the day the infection was seen for the first time. In this phase, only the basic variant (JS:Redirector-H) was seen on the compromised websites. However, we also started to block gumblar.cn.
- (5.5.2009-19.5.2009) – The first phase ended with the appearance of modified variants (JS: Redirector-H2-9). All of these new variants again redirected users to gumblar.cn. The biggest increase in the number of newly infected domains occurred during this phase.
- (19.5.2009-31.5.2009-now) – The third and last phase began with the arrival of the newly modified variants which directed users to a new address – martuz.cn. All these variants are detected under the names JS:Redirector-J and JS:Redirector-J1-6. This phase continues until now (Article Publication). The new infection has so far failed to achieve the same success as was achieved in the previous phases.
The following graph presents the number of visits to infected websites. All these approaches have been blocked and users are therefore protected from large-scale infection. The highest number of these attempts was recorded on 14.5.2009 – more than 600,000 visits to infected websites.
The number of hits presented in the previous chart is enormous, but this reveals nothing about the number of infected domains. For this reason I present below a second graph. This shows the process of the infection in terms of domains – the number of newly infected domains per day (counting only the first occurrence of the infection for each single domain).
Finally, the total numbers (from 28.4.2009 to 31.5.2009):
- number of attempts made by avast! users: 11,023,680 (all of them were blocked/protected)
- number of infected domains: 47,603