Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

April 18th, 2011, 07:57 GMT · By

Drive-By Download Attack Launched from UK Human Rights Website

SHARE:

Adjust text size:


UK human rights website infected with Flash exploit
Enlarge picture
A drive-by download attack launched from the compromised UK website of an international human rights organization exploited the latest Flash Player zero-day vulnerability to infect visitors.

According to security researchers from Armorize, the attack uses a technique dubbed drive-by caching to deliver the malware and execute it.

In a typical drive-by download attack, the user opens an infected page which loads an exploit, which then executes shellcode, which downloads and runs the final malware payload.

In a drive-by cache attack, however, after the user opens the infected page, the browser is tricked into caching the payload, then the exploit is loaded and the shellcode executes the already stored malware.

In the case of this recent attack, the infected page contains a rogue <script src=newsvine.jp2></script> element. This tricks the browser into caching and executing newsvine.jp2 as JavaScript code.

The caching is successful, but the file cannot be executed as JavaScript because it is actually a renamed malicious executable corresponding to a backdoor from the pincav family.

Another rogue script element found on the infected page is <script src="/includes/googlead.js"></script>, which unlike most drive-by download attacks, loads a local .js file.

The JavaScript code in googlead.js creates an iframe that executes the SWF exploit from a domain controlled by the attackers.

It's worth pointing out that even though the CVE-2011-0611 Adobe Flash vulnerability was patched last Friday, the infection on the UK human rights website dates from April 13, when it still had 0-day status.

The exploit's shellcode executes the newsvine.jp2 binary from the browser's cache, therefore installing the backdoor which starts communicating with a command and control server.

This attack is an interesting development, because it was previously believed the latest Flash 0-day vulnerability was only exploited via email-based attacks that distributed Word documents rigged with malicious SWF.

The fact that it targeted human rights activists is another aspect worth taking into consideration, especially since it follows a similar attack against a different branch of the same organization that took place in November 2010.

Update 19 April, 2011: The name of the affected organization has been edited out at the request of Armorize.

TELL US WHAT YOU THINK:

2,306 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Critical Vulnerability Patched in Flash Player
Adobe Flash Player Hit by New Zero-Day Vulnerability
Drive-By Download Attack Launched from USPS.gov Website
Spotify Users Hit by Malvertizement

READER COMMENTS:


Comment #1 by: DS on 19 Apr 2011, 11:48 UTC reply to this comment

"Update 19 April, 2011: The name of the affected organization has been edited out at the request of Armorize."

However the URL still states: '...Drive-By-Download-Attack-Launched-from-Amnesty-International-UK-Website-195507.shtml'

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use