There have been recent talks within the security industry about the increasing use of Java vulnerabilities by attackers. Last week, security blogger Brian Krebs noted how Java was being used by exploit packs. Earlier this week, Microsoft also reported what they called an “unprecedented wave” of Java exploits.
This is something we’ve been seeing as well. FAKEAV doorway pages (a concept previously discussed in “Doorway Pages and Other FAKEAV Stealth Tactics”) are increasingly using Java vulnerabilities. In cases where these vulnerabilities cannot be exploited, PDF exploits are used instead. We detect the said Java and PDF exploits as JAVA_LOADER.HLL and TROJ_PIDIEF.HLL respectively.
Two vulnerabilities we have seen heavily exploited in particular in this manner are:
Given how widespread the FAKEAV problem is, it shouldn’t be a surprise that it’s showing up on everyone’s radar. If a significant percentage of FAKEAV pages start using Java vulnerabilities, given how many FAKEAV pages there are, it will not go unnoticed.
This isn’t the only way FAKEAV has recently evolved, however. While browser-specific payloads and pages are not new, the pages being served up are more polished than before. Here are samples of two browser-specific pages we saw—one is for Internet Explorer while the other is for Firefox.
Both pages very closely mimic the actual interfaces of the aforementioned browsers. In Firefox’s case, not only did they mimic Mozilla’s site design, they also detected which browser version runs on a particular system. This kind of very specific and well-polished behavior can easily lead users to believe that the alerts they see are legitimate.
As for the fake virus alerts themselves, we’ve seen two developments. Online FAKEAV variants are now very heavily obfuscating their code as well as using AES in order to encrypt their code. Meanwhile, local FAKEAV variants now use audio alerts as part of their behavior. Though the main interface has not really changed, a new “pill” icon has been seen in use.
Taken together, all of these indicates that those behind rogue antivirus software propagation are still honing their techniques even if they’ve somewhat fallen out of the limelight. Trend Micro continuously works to protect users from these threats using the capabilities of the Smart Protection Network™.
Update as of October 20, 2010, 8:26 AM (UTC – 7)
Our continuous monitoring of FAKEAV related doorway pages reveal that the malicious URLs that hosted these payloads (the Java and PDF exploit) use either the Seo Sploit Pack or the Phoenix Exploit Pack. Furthermore, the actual payload is not hosted in the doorway pages.
The final malicious URL is the result of a series of redirections which uses the doorway pages as its starting point. These redirections are frequently changing so determining where the next payload URL will be located is a challenging task.