Recent reports noted the spread of malware targeting multiple computing platforms. In a recent incident, Macs appear to have been specifically hit with a new variant of the KOOBFACE worm family. (KOOBFACE is a notorious family of malware that primarily spreads via social networking sites like Facebook.)
However, these particular incidents are not actually isolated attacks. Rather, these only form the tip of the iceberg of several attacks involving compromised and malicious sites. Cybercriminals are increasingly making browser and OS detection part of their standard attacks.
The malicious sites, payloads, and redirection chains change on a daily basis. Let’s look at one of the malicious sites we recently saw:
The code itself is reasonably simple—it sends users to various malicious sites that vary, depending on what browsers and OSs they run. In this particular attack, Internet Explorer and Firefox users received FAKEAV variants similar to those seen in earlier attacks, as documented in “FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts.”
Mac and Linux users were sent to the RSS feed of a site scraper. This site appears to periodically capture high-ranking keywords from Google Trends and use one of these keywords as the subject of a new blog post. The “post” contains, among others, high-ranking items from a Google Images search using the captured keywords. It’s possible that the site in question has been “parked” while malware is not being delivered.
Users who didn’t fall into any of these categories proceed along “standard” FAKEAV redirection chains.
While this particular attack involved only FAKEAV, the particular sites used change on a daily basis. Thus, other malware may be served just as easily to other users. This same technique was used to spread KOOBFACE to Mac users last week. We have also seen it used to deliver other malware families such as:
While the vast majority of attacks delivered this way still use FAKEAV, the fact that malware families that are part of the traditional botnet business model have picked up these “customized” malware attacks is troubling and points to widespread exploitation down the road.
Users have to be cautious, as these “customized” attacks mean that malicious sites are likely to resemble legitimate ones more easily. Distinguishing legitimate pages from malicious ones by eye will be a challenge. Web blocking will become more important for protecting users, as customized malware attacks allows for even more malicious files to be used in these attacks. This emerging trend in Web threats is one that we will be on the lookout for to help protect users against this latest development.