Japanese Users Targeted in Java-Based Drive-By Download Attack

Antivirus vendor Trend Micro warns that a new drive-by download, which relies on Java exploits, has compromised computers on the networks of over one hundred Japanese companies.

Researchers from Trend Micro Japan investigated the threat after receiving numerous support calls from the company's corporate clients, who reported similar sympthoms. The calls began on October 14.

The attack starts with users visiting a legitimate site, that was compromised and had rogue JavaScript code injected into its Web pages.

The code is heavily obfuscated and when parsed, generates a hidden iframe, that calls a .php file from an external domain.

In turn, this script checks the user's operating system and loads one of several Java exploits targeting different vulnerabilities in outdated versions of the platform.

Successful exploitation results in a cascade of malicious components being dropped and executed on the target computer.

"TROJ_DLOAD.SMAB is downloaded, which downloads TROJ_DLOAD.SMAD, which in turn downloads TROJ_DROPPER.OMJ. TROJ_DROPPER.OMJ drops TROJ_EXEDOT.SMA.

"TROJ_EXEDOT.SMA checks and reports to certain URLs if certain processes are running on the system. It also attempts to download and execute more malicious files," explains Takeshi Sato, security specialist at Trend.

TROJ_DLOAD.SMAD operates as a file named mstmp, while TROJ_EXEDOT.SMA uses lib.dll as cover.

Searching for these two file names together on Google returns results predominantly from Japanese websites, suggesting that this might be a targeted attack.

The Trend Micro researcher also notes that the dropped malware can vary depending on the Java exploit used and that in some cases it's a known fake antivirus program called Security Tool.

"Because we have not yet found the final payload, we cannot yet tell what the actual intent of this attack is. However, we can say that Web threats are becoming more sophisticated, increasing the threat to users," concludes Mr. Sato.

It's no surprise that attackers opted to use Java exploits, giving that recent reports from Microsoft and others revealed an unprecedented surge in attacks targeting the platform.