View Full Version : Driveby downloads delivered...

2010-03-24, 13:29

Driveby downloads delivered from ".sys" directories
- http://isc.sans.org/diary.html?storyid=8482
Last Updated: 2010-03-24 02:42:35 UTC - "... observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:
http ://evilexample .com/.sys/?action=... link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend"... In response to clicking on the link, the user is asked to install the software... a specific block for ".sys".. web filter caught about 60% of these exploits. Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names... observed are p.exe, go.exe and v2captcha21.exe."
Comments: ... Mar 24 2010, 15:24
"... a bit more digging did show the Koobface connection..."


2010-08-23, 13:16

Java exploit in the wild - Unruy downloader uses CVE-2010-0094* Java vuln
- http://blogs.technet.com/b/mmpc/archive/2010/08/17/unruy-downloader-uses-cve-2010-0094-java-vulnerability.aspx
17 Aug 2010 - "... Infection can occur when a user visits a webpage that hosts a malicious Java applet. If the user’s browser runs a vulnerable version of the Java Runtime Environment (up to version 6 update 18), exploitation may be successful and malware may be installed. We are currently detecting malicious applets that exploit this vulnerability..."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094
Last revised: 08/21/2010 ... Java SE and Java for Business 6 Update 18 and 5.0 Update 23 and previous versions...
CVSS v2 Base Score: 7.5 (HIGH)

Latest version: Java JRE 6 Update 21
- http://java.sun.com/javase/downloads/index.jsp
- http://java.com/en/download/manual.jsp


2010-09-15, 21:12

Q2-2010 - 1.3M infected sites ...
- http://blog.dasient.com/2010/09/continued-growth-in-web-based-malware_9357.html
September 14, 2010 - "... our infection library has catalogued almost 200,000 different infections - up 58,000 from the previous quarter... In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period. As we have now been tracking web-based malware statistics for four quarters, we have plotted the estimated number of infected web sites over that time period below. While there was a slight dip in Q4 ‘09... the growth over the past couple quarters has been significant - growth by a factor of two over the past year... When attackers send drive-by-downloads, they seem to like to choose one letter file names and innocent looking names like updates.exe and file.exe. Sometimes the file name starts with MS to imitate Microsoft processes. There are also a class of attacks that choose a random file name with fixed number of characters... Temp and application data folders are the favorite choice of folders in which to store malicious executables. However, executables are sometimes copied to system directory after their initial storage, and run from there... Overall, three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory..."


2010-11-22, 22:47

Web-based malware infections double...
- http://blog.dasient.com/2010/11/normal.html
November 22, 2010 - "In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago... The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected. Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware. As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform. While attackers continue to grow their use of almost every tool at their disposal (including spreading viruses via email attachment) and as the cybercriminal economy continues to thrive, our research indicates that the use of drive-by-downloads and rogue anti-virus schemes eclipse other modes of malware distribution..."
(Multiple charts and more detail available at the URL above.)


2010-11-30, 15:07

Drive-by ransomware ...
- http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/
November 26, 2010 - "... new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites. Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim's computers, in an attempt to extort $120... The attack, which Sophos detects as Troj/Ransom-U*, changes your Windows desktop wallpaper to deliver the first part of the ransom message... Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML**..."
* http://www.sophos.com/security/analyses/viruses-and-spyware/trojransomu.html

** http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsml.html

- http://www.theregister.co.uk/2010/11/30/ransomware_trojan_returns/
30 November 2010

MBR Ransomware
- http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware
November 29, 2010 - "... just discovered a malware which overwrites the master boot record (MBR) and demands a ransom...
UPD2: Do not use 'fixmbr' utility in case you are infected with this trojan because it will not restore your partition table and you won't be able to boot your OS. If you are infected and passwords are invalid, plug in your hard drive to a working computer and use this free tool* which will restore your MBR."
* http://support.kaspersky.com/viruses/avptool2010?level=2

Oficla downloads MBR Ransomware
- http://techblog.avira.com/2010/12/01/oficla-downloads-ransomware/en/
December 1, 2010 - "... victims which are infected can use the password “aaaaaaciip” which will restore the original MBR and Windows will start again. Avira detects the malware as TR/Ransom.Seftad.A. The malicious boot sector is detected as “BOO/Seftad.A”..."


2010-12-11, 13:28

Malware on ad networks at Google, MS...
DoubleClick ADShufffle drive-by download malvertising
- http://www.pcworld.com/businesscenter/article/213336/google_microsoft_ad_networks_briefly_hit_by_with_malware.html
12.10.2010 10:00 pm - "... cybercriminals managed to infect Google's and Microsoft's online ad networks with malicious advertisements that attacked users' PCs, according to security consultancy Armorize*. The attacks started around Dec. 5 and lasted a few days, sending victims who clicked on the ads to malicious Web pages..."
* http://blog.armorize.com/2010/12/hdd-plus-malware-spread-through.html
12.10.2010 - "... Over the past few days, we saw the quick spread of HDD Plus** - a malware that (somehow) gets installed on victim computers, and holds the computer hostage by displaying threatening message (that the system is failing), asking you to purchase a license so HDD Plus will fix the problems... one of the means for HDD Plus to spread, was via drive-by download malvertising through (at least) DoubleClick and rad.msn .com, which are both the world's largest ad serving platforms...
Known sites affected: Sites that incorporate DoubleClick or rad.msn .com banners, including for example Scout .com (using DoubleClick), realestate.msn .com, msnbc .com (using both), and mail.live .com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads...
Malware installed: Over the past week, ADShufffle kept on changing the malware. Besides HDD Plus, other types of malware, such as backdoors, have been served...
Exploit packs used: Primarily a modified version of Eleonore. Neosploit was also used. With neosploit, malicious binaries are obfuscated on-the-fly before being served..."
(More detail and flow chart available at the blog.armorize.com URL above.)

** http://www.bleepingcomputer.com/virus-removal/remove-hdd-plus

Q3'10... Web-Based Malware
- http://blog.dasient.com/2010_11_01_archive.html
November 22, 2010
Q1'10... Web-Based Malware
- http://blog.dasient.com/2010_05_01_archive.html
May 10, 2010

- http://news.cnet.com/8301-27080_3-20000898-245.html
March 22, 2010

- http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/
February 18, 2010
- http://blog.avast.com/wp-content/uploads/2010/02/js_prontexi_chart.png