Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Security Research

Spam SEO: Use Of Java/Flash Leads To More Dangerous Exploits

image
JULIEN SOBRIER
juin 02, 2010 - 3 Min de lecture

Most malicious sites behind spam Search Engine Optimization (SEO) poisoning attacks lead to fake antivirus pages. The malicious sites rely on social engineering, tricking users into thinking their computer is infected and require user interaction to execute and install the malicious file, which is disguised as an anti-virus program.

Well hidden exploits

Over the past 3 days, we've seen some even more dangerous websites using Java exploits and Flash vulnerabilities. These malicious pages do not require any user interaction to infect users. They are also very difficult to detect - the exploits are hidden behind several layers of Javascript redirects and use obfuscation. Also, the attackers allow each IP address to receive the malicious page one time only. After a user or a security tool accesses the malicious domain, any subsequent requests coming from the same IP address get redirected to different, harmless pages. This makes post-infection analysis, and the use of security tools almost useless. You have to make sure that you hit the right page, the right way (correct headers, referer header, form data, etc.) the first time or the exploit will not be revealed. Popular online security scanners like JSunpack or Wepawet cannot be used since all requests to the malicious sites are done from the same IP address.
 

Image
Spam SEO Page leading to a Flash exploit


Java exploit

Mike reported a 300 percent increase of Java exploits last month. These new pages are very similar to what we saw before. A malicious JAR file is launched automatically through a Java ActiveX control vulnerability on Internet Explorer, or through the Java Quick Starter, which is installed silently on Firefox with a recent Java Plugin update. The malicious JAR files are not flagged by most antivirus vendors.

Like all spam SEO, the attack starts with legitimate sites being hacked. New pages are added to target popular search terms, in order to appear in the first few pages of a Google search. When a user clicks on spam SEO links, he actually gets redirected to a different URL such as hxxp://www.hutriken.com/nvu_y/hqpa_b_.php. This page checks to determine if the browser supports Java, and if so, sends the following form with automatically:

 

 

Image

 

 

Detection of Java capabilities


The next page (the 4th HTTP request) contains both inline obfuscated Javascript, and an external script (obfuscated as well). Once deobfuscated, the exploit is very simple - it invokes the ActiveX control or the Java Quick Starter with the URL of the malicious JAR file.

 

 

Image

 

 

Deobfuscated java exploit code


If the user, or the security tool, fails at any stage to have the appropriate prerequisites (lacking certain browser capabilities, multiple requests to same page, etc.), it gets redirected to http://google.com/.

Flash exploit

The flash exploit is not as well hidden as the Java exploit, and it is found on fewer links. It consists of a single page with obfuscated Javascript.

 

 

Image

 

 

 

 

Obfuscated Flash exploit

 


The exploit uses a heap spray technique via ActionScript. We've posted an extended analysis of this type of exploit back in December. Like the Java exploit, no user interaction is needed for the exploit to run.

 

 

 

 

 

 

Image

 

 

 

Deobfuscated exploit

 

 

 

 


-- Julien

 

 

 

 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.