View Full Version : Driveby downloads - archive

2010-05-11, 17:41

TorrentReactor.net - drive-by-download - leads to exploit
- http://blogs.paretologic.com/malwarediaries/index.php/2010/05/10/torrentreactor-net-leads-to-exploit/
May 10, 2010 - "The popular website torrentreactor .net is home of a drive-by download. I tested it this morning and the exploit is still live, so please be careful... Wepawet report* indicates “Multiple Adobe Reader and Acrobat buffer overflows”... What’s happening is probably a third party advertisement site that promotes on TorrentReactor has been compromised... The malicious PDF is detected by 6/40 vendors on VirusTotal**..."
* http://wepawet.iseclab.org/view.php?hash=1698072b7a5718dae7b1049ffe4aab2a&t=1273513777&type=js
** http://www.virustotal.com/analisis/8c2137d9f0775373c88046f6474b3859010a8598a67722670f9e5f8488390a1b-1273512771
File 9E5F92DB78287D690C62AD9DBD6CAA64. received on 2010.05.10 17:32:51 (UTC)
Result: 6/40 (15.00%)

- http://ddanchev.blogspot.com/2010/05/torrentreactornet-serving-crimeware.html
May 11, 2010 - "...appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet..."

- http://google.com/safebrowsing/diagnostic?site=TorrentReactor.net/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-13. Malicious software includes 13 trojan(s), 10 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine. Malicious software is hosted on 16 domain(s), including netping.dyndns.dk/, endroiturlredirect.com/, burgsiutrehosa.com/. 13 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including fulldls.com/, shtraff.ignorelist.com/, yieldmanager.com/..."


2010-08-31, 14:59

* >> http://forums.spybot.info/showpost.php?p=383566&postcount=7
QuickTime 7.6.8 released - September 15, 2010

QuickTime QTPlugin.ocx input validation vuln...
- http://secunia.com/advisories/41213/
Last Update: 2010-09-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 7.6.8*...

- http://community.websense.com/blogs/securitylabs/archive/2010/09/07/quicktime-0-day-actively-used-in-the-wild.aspx
07 Sep 2010 - "... Websense... has discovered exploitation of this vulnerability in the wild..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1818
Last revised: 09/01/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://securitytracker.com/alerts/2010/Aug/1024376.html
Aug 31 2010

- http://www.symantec.com/security_response/threatconlearn.jsp
Aug. 31, 2010 - "... Users may wish to disable the QuickTime plugin until a patch is available; this can be achieved by setting the killbit for the affected control (02BF25D5-8C17-4B23-BC80-D3488ABDDC6B) -or- renaming the plugin (QTPlugin.OCX)..."

- http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/
30 August 2010 - "... exploit... works only against those who have Microsoft's Windows Live Messenger installed..."

- http://isc.sans.edu/diary.html?storyid=9472
Last Updated: 2010-08-30 23:24:53 UTC


2010-11-11, 16:12

IE 0-day hosted on Amnesty International site
- http://community.websense.com/blogs/securitylabs/archive/2010/11/10/Amnesty-International-Hong-Kong-Website-Injected-With-Latest-Internet-Explorer-0_2D00_day-.aspx
10 Nov 2010 - "Websense... has detected that the Hong Kong Website of human rights organization Amnesty International has been compromised by multiple exploits, including the most recent Microsoft Internet Explorer 0-day. In one attack, an iframe has been injected into the index page, resulting in a quiet redirection of any visitor to an exploit server controlled by the cyber criminals... The injected code resides at hxxp: //www .amnesty.org.hk/schi/[removed]ox.html."

> http://forums.spybot.info/showpost.php?p=388081&postcount=70

Drive-By Downloads: Malware's Most Popular Distribution Method
- http://www.darkreading.com/taxonomy/index/printarticle/id/228200810
Nov 12, 2010