Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May   Jul »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June 4th, 2013




    When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

    One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.


    Figure 1. Encrypted JavaScript inserted onto compromised site


    Figure 2. Decrypted JavaScript that could lead users to malicious sites

    Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

    The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

    Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

    End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

    Trend Micro provides protection by blocking related malicious sites and detecting the malware.

    With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

    Update as of June 5, 2:15 AM PDT

    The malicious PDF files noted earlier in this post are detected as TROJ_PIDIEF.MT. The files downloaded by this malware are saved with legitimate filenames. however they are non-executable and non-malicious files despite their .EXE extension. However, the files could easily be replaced by malware; it is possible that this attack was still being tested when it was released into the wild.

     
    Posted in Exploits, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice