Nine Ball

At the time of this writing the Nine Ball attack is believed to have infected over 40,000 legitimate websites. It works by infecting a legitimate website which then redirects victims to sites owned by the attacker. The malicious site then downloads malicious programs onto the victim’s computer. This attack can be used to log keystrokes, including passwords.

Details

Nine Ball uses the following multi-level attack method:

1. Victim visits legitimate infected site.
2. Victim is redirected to one of a number of malicious sites owned by attacker.
3. The malicious drive-by download site attempts to download malware to user’s computer through a number of vulnerabilities in common applications including MDAC, AOL SuperBuddy, Adobe Reader, and QuickTime exploits.
4. The malware is generally a keystroke logger which is then used to steal information from the victim.

If a user has previously been to the malicious website, they are redirected to the benign site ask.com. Check Point believes this design was intended to help evade investigation.

Protection

Check Point’s Endpoint Security protects enterprise endpoints against the malicious programs downloaded by this attack through its Antivirus feature. The Antivirus feature is able to remove the malicious programs that are currently delivered by the Nine Ball attack. Customers are urged to download the latest virus signature updates.

Consumer Protection is provided through Check Point’s ZoneAlarm products.

ZoneAlarm ForceField, and ZoneAlarm Extreme Security (with ForceField virtualization enabled) stops Nine Ball infected sites from being able to redirect the browser to other sites or to download malicious programs onto your computer.

The antivirus protection in ZoneAlarm Antivirus, ZoneAlarm Security Suite, and ZoneAlarm Extreme Security detects and removes known Nine Ball malware. Customers are urged to download the latest virus signature updates.