Dec 28, 2010 10:56 GMT  ·  By

Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.

According to Denis Sinegubko, the creator of the Unmask Parasites Web scanner, the malicious code is added at the end of HTML pages on compromised websites and takes the form of an obfuscated JavaScript function.

When parsed by the browser, this function adds a rogue IFrame to the HTML document, which loads a new.htm page from aubreyserr.com, medien-verlag.de or yennicq.be.

According to statistics from Google's Safe Browsing service, around 2,000 websites link to these domains, giving a rough estimation of the attack's impact so far.

The page called by the IFrame loads a Hidden.jar applet deceptively titled "Java Update." This is a Java OpenConnection-type downloader whose only purpose is to download and execute a file called host.exe.

The three domains serving the malware are actually legitimate, but their corresponding websites have been compromised.

This behavior is consistent with recent trends where attackers use compromised websites for multiple purposes, including both doorway and landing pages.

According to recent report from Kaspersky Lab, the number of malicious Java applets using the OpenConnection method has spiked during the past two months.

For example, Trojan-Downloader.Java.OpenConnection.bu was the most prominent threat in November for all malware categories.

The benefit of using Java is that the technology is cross-platform. At the end of October, a Java trojan dubbed Boonana contained different payloads for Windows and Mac systems.

Java applets can also prove to be efficient attack vectors because they are relatively rare and users are not used with them. History has shown that when confronted with an unfamiliar dialog, users tend to click yes so they can carry on with their business, which is obviously a very bad idea.