14 DAY TRIAL // A drive-by download attack launched from the compromised UK website of an international human rights organization exploited the latest Flash Player zero-day vulnerability to infect visitors.
According to security researchers from Armorize, the attack uses a technique dubbed drive-by caching to deliver the malware and execute it.
In a typical drive-by download attack, the user opens an infected page which loads an exploit, which then executes shellcode, which downloads and runs the final malware payload.
In a drive-by cache attack, however, after the user opens the infected page, the browser is tricked into caching the payload, then the exploit is loaded and the shellcode executes the already stored malware.
In the case of this recent attack, the infected page contains a rogue <script src=newsvine.jp2></script> element. This tricks the browser into caching and executing newsvine.jp2 as JavaScript code.
The caching is successful, but the file cannot be executed as JavaScript because it is actually a renamed malicious executable corresponding to a backdoor from the pincav family.
Another rogue script element found on the infected page is <script src="/includes/googlead.js"></script>, which unlike most drive-by download attacks, loads a local .js file.
The JavaScript code in googlead.js creates an iframe that executes the SWF exploit from a domain controlled by the attackers.
It's worth pointing out that even though the CVE-2011-0611 Adobe Flash vulnerability was patched last Friday, the infection on the UK human rights website dates from April 13, when it still had 0-day status.
The exploit's shellcode executes the newsvine.jp2 binary from the browser's cache, therefore installing the backdoor which starts communicating with a command and control server.
This attack is an interesting development, because it was previously believed the latest Flash 0-day vulnerability was only exploited via email-based attacks that distributed Word documents rigged with malicious SWF.
The fact that it targeted human rights activists is another aspect worth taking into consideration, especially since it follows a similar attack against a different branch of the same organization that took place in November 2010.
Update 19 April, 2011: The name of the affected organization has been edited out at the request of Armorize.