14 DAY TRIAL // Security researchers from anti-virus vendor AVG has announced that a new botnet spams websites that push different exploits based on the browser version of the visitors. If the exploits are executed successfully, a rootkit component is installed on the system.
Few VXers (virus writers) have displayed along the years a high level of elegance when writing code, be it malicious or otherwise. A recent good example is the infamous Conficker worm, whose source code suggests that the programmer behind it is not only experienced and skilled, but also innovative.
However, malware developers are generally opportunists who want to capitalize on new vulnerabilities as soon as possible, this resulting in their creations being very “unpolished.” Therefore, it's not everyday that one sees some malware distributor going to the extra length of performing such browser checks in order to better target their attacks.
According to Roger Thompson, AVG's chief research officer, this is a fast-flux botnet, which triggers different types of exploits for Internet Explorer, Firefox, Opera, Chrome and Safari. Mr. Thompson credits “a security guy at the IRS” with the discovery of the botnet, and security consultant Nick FitzGerald, with investigating it.
According to Mr. FitzGerald's finds, if an Internet Explorer user visits the malicious website used to propagate this trojan, several exploits for various IE vulnerabilities will be executed. Thompson believes that these particular exploits have been copied from the Neosploit toolkit, a web-based exploit framework.
Visiting the website with Firefox or Opera will also trigger exploits for corresponding vulnerabilities in these browsers. Safari and Chrome users will get bombed with malicious PDF files that exploit vulnerabilities in Adobe Acrobat and Reader. “The encryption technique is new, and bit cute in the way that it is hooked into the html, presumably to try to avoid decryption emulators,” the AVG security researcher also notes.
According to the analysis, the origin of this attack seems to be in Russia, and the rootkit installed on the victims' computers is also relatively new. AVG detects this threat as an Agent variant, Thompson advises. He also praises the security community for making such discoveries and helping with the spreading of the word about new threats.
A similarly targeted attack has recently been disclosed by researchers from the security consultancy firm Trusteer. Dubbed “in-session phishing,” it involves checking on what websites the user currently is or has been authenticated, before launching the attack. This is possible due to a vulnerability in the JavaScript implementation on all major browsers, and can significantly improve the success rate of such schemes.