For the last couple of weeks, I have been watching a series of new, related web attack sites surfacing. All follow a similar modus operandi, with an attack site exploiting a bundle of client-side vulnerabilities, some of which are pretty old:
- MDAC (MS06-014)
- NCTAudioFile2.AudioFile ActiveX control (CVE-2007-0018)
- Snapshot Viewer (MS08-041)
- MSDDS (MS05-052)
- Visual Studio MSMask32 (CVE-2008-3704)
- Adobe Acrobat Reader (CVE-2007-5659)
Nothing hugely interesting or novel then, just another batch of attack sites popping up, most likely thanks to the creation and sale of some new attack toolkit. At this point I have not identified the specific kit that has been used to construct the attack sites we are seeing. There is a pretty diverse range of malware being installed from these sites, ranging from banking Trojans to stealthing backdoors (including Troj/Agent-IAT, Troj/Ambler-F and Mal/EncPk-BU). An example attack is illustrated below (click to view larger image with details):
In this example attack:
- various legitimate sites have been compromised (with malicious scripts detected as Mal/ObfJS-H) in order to redirect victims to the attack site. (In other attacks, legitimate sites have been compromised with Troj/Unif-B.)
- In all cases encountered thus far, the attack sites hit the victim with multiple malicious scripts, in an attempt to exploit the vulnerabilities listed above.
- The scripts used on the attack site are heavily obfuscated, and make a simplistic attempt to defeat common script emulation methods (presumably to break auto-analysis and/or generic detection).
- Additionally, the attack site loads a malicious PDF file, which attempts to exploit an Adobe Reader vulnerability in order to infect the victim with the same payload.
The availability and ease of use of toolkits has driven a large increase in the volume and frequency of malicious web attacks. However, as we have seen several times before, their homogeneity often presents something of an Achilles heel. In this case, the malicious scripts used by the attack sites constructed with this latest toolkit are all proactively detected as Mal/ObfJS-BF and the malicious PDF files used are also proactively detected, as Mal/PDFEx-B.