TrendLabs researchers recently received a report on malvertisements that appeared while a user was browsing through a popular Web-based email service.
At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.
According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the app.info.Author field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.
 |
 |
As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.
Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.
Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.
Update as of March 17, 2010, 4:23 p.m. (GMT +8:00):
Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that requires the use of certain APIs to decrypt. Thus, it would require manual analysis to be able to emulate the embedded script.
Update as of March 18, 2010, 7:54 p.m. (GMT +8:00):
According to further research by Baltazar, the attack used the “Liberty Exploit Kit,” which exploits known vulnerabilities found in Internet Explorer (IE) like MS06-014 (MDAC) and MS DirectShow. The exploit kit also includes exploits targeting Flash 9 (the most probable vector for malicious ads) and the above-mentioned PDF exploits.
Thus, no user intervention is necessary for an attack to be successful. Users must keep their Flash, Adobe Reader, and IE browsers updated with the latest security patches in order to stay protected from this attack.
