ScanSafe labels Nine-Ball attack as 'hype'

Security vendor Websense has been blasted for allegedly hyping up the so-called 'Nine-Ball' mass website compromise it made public earlier this week.

According to arch-rival ScanSafe, the claim that the attack had hit 40,000 websites was a massive exaggeration, and in fact Nine-Ball "barely exists".

The Websense alert described how the attack attempted to hit users with Trojans and keyloggers after working out whether to re-direct them to a drive-by malware after inspecting their IP addresses - it first rejects repeat visitors on the basis that they might be security researchers.

Forty thousand websites is a serious scale of web compromise, but Scansafe claims it is mystified by the figure.

"Naturally we were a bit surprised that such an allegedly massive attack could bypass our sentries. After we did take a look, it became apparent why this one didn't trip our alert sensors - this attack is almost non-existent and might be more aptly named "scratch ball", said Mary Landesman of ScanSafe in a scathing blog on the subject.

"It is such a low number attack that it's not the type of thing we'd normally spend our time investigating. From June 15th onwards, the total number of requests to sites involved in the attacks is 333," she said.

Using ScanSafe's figures, the total number of compromised websites is actually an unremarkable 62.

Furthermore, says Landesman in her blog, only one of the compromised domains features in the Alexa website rating top 10,000 sites on the Internet, with the other 61 featuring very low down that list. This means that the traffic to these sites would also be very low.

"From our unique perspective, 333 requests involving 62 compromised websites is certainly not something we would brand a "massive injection."

So where did the Websense figure of 40,000 websites come from? Security companies rarely bother to query each other's alerts or figures, so Landesman's broadside at Websense is unusual territory.

When interviewed, Landesman suggested that the explanation might lie in the way the two companies collected data, with ScanSafe using information taken from proxied traffic to and from real computers and servers. It was possible that Websense had gathered its figure from web crawling, an inherently inaccurate method that might also involve extrapolating from a narrow sample to the Internet as a whole.

"Real-time scanning is about the reality and not the theory," said Landesman. "Our job is to understand the level of threat. No-one is served by hyping attacks."

Websense was unable to comment on this at the time of going to press.