TrendLabs researchers recently received a report on malvertisements that appeared while a user was browsing through a popular Web-based email service.
At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.
Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.
Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.
Update as of March 17, 2010, 4:23 p.m. (GMT +8:00):
Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that requires the use of certain APIs to decrypt. Thus, it would require manual analysis to be able to emulate the embedded script.
Update as of March 18, 2010, 7:54 p.m. (GMT +8:00):
According to further research by Baltazar, the attack used the “Liberty Exploit Kit,” which exploits known vulnerabilities found in Internet Explorer (IE) like MS06-014 (MDAC) and MS DirectShow. The exploit kit also includes exploits targeting Flash 9 (the most probable vector for malicious ads) and the above-mentioned PDF exploits.
Thus, no user intervention is necessary for an attack to be successful. Users must keep their Flash, Adobe Reader, and IE browsers updated with the latest security patches in order to stay protected from this attack.
Share this article