14 DAY TRIAL // Security researchers from Websense have come across an exploit kit which rendered itself inactive on January 1, 2011, as an unintended side affect of its obfuscation.
The code on the kit's attack page, which makes use of a Java exploit, is highly obfuscated, however, it turns out that the obfuscation routine depends on the system date.
"When you look at the [...] script, you can see that the Date() object is used to get the current date from the client JavaScript engine.
"Later, we see that the object iilq, which is where the date is assigned, uses the getFullYear() method and subtracts 1 from the current year," explains Chris Astacio, a security researcher at Websense.
The end result is a variable called e2009al, which is further unmasked via a .replace("2009","v") function. This evaluation is critical in the script's logic.
The problem is that starting with January 1, 2011, the variable became e2010al and the replace function no longer has the desired effect.
"In conclusion, we can only assume that this was an unintended mistake by the exploit kit writers and that it will probably be fixed.
"However, I'm sure they were unaware of this mistake, as the obfuscation of their attacks is probably contracted out, or they use off-the-shelf software to obfuscate their kits," Mr. Astacio concludes.
It's good to see the cybercriminals failing at their own game, but unfortunately, the real impact of this particular flaw is rather insignificant when considering the whole picture.
Compromised legit websites have been the primary method of malware infection for a while now. Most of them are used to direct visitors to attack pages that try to exploit vulnerabilities in outdated applications like Java, Flash Player, Adobe Reader or the browser.
This kind of attack is known as a drive-by download and is usually transparent to the victim. More often then not, attackers use commercial exploit kits sold on the underground market.