CNET's Clientside developer blog serving Adobe Flash exploits

Summary:Yesterday, Websense Labs issued an alert regarding a compromised CNET blog, namely the Clientside developer blog which has been embedded with a malicious javascript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash's player. Websense's alert :"Websense Security Labs ThreatSeeker Network has discovered that a CNET Networks site has been compromised.

Yesterday, Websense Labs issued an alert regarding a compromised CNET blog, namely the Clientside developer blog

CNET Websense
which has been embedded with a malicious javascript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash's player. Websense's alert :

"Websense Security Labs ThreatSeeker Network has discovered that a CNET Networks site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host. The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction."

Interestingly, the second javascript obfuscation that they analyzed in the time of detection is different than the one I managed to obtain from a copy of the blog on the 2nd of August. And while it remains unknown for how long has the blog beed embedded with the javascript with the, this malware attack, and the rotating javascripts indicate a compromise compared to the massive SQL injections we're seeing on daily basis. The embedded javascript code appears to have been removed. Deobfuscating the obfuscated javascript code, attempts to access the live exploit URL from a .info domain that is now down. Historically, the same domain has been used in blackhat search engine optimization campaigns - yet another example of underground multitasking, namely, abusing a single domain for several different fraudulent purposes.

Blog javascript obfuscation
This malware attack should not be treated as an isolated event, it's the result of today's major risk-forwarding process, where legitimate sites are starting to serve malware and exploits with an unprecedented growth. Multiple vendors are confirming the trends, for instance, in its latest report, ScanSafe reports 407 percent increase in compromise of legitimate websites,  followed by Sophos, according to which a full 79% of malware-hosting Web sites are legitimate ones, and with Websense stating that more than 75 percent of the Web sites it classified as malicious were actually legitimate ones.

Slowly, but inevitably, the "do no visit unknown and potentially harmful sites" security tip is starting to lose its charm.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.