Exploit packs get intelligent -- Attacks launched based on victim's browser

Exploit packs get intelligent -- Attacks launched based on victim's browser

Summary: Virus hunters at Symantec have stumbled upon a malicious server using an attack framework that intelligently chooses exploits based on the client's browser.This is the first sign of the type of reconnaissance attacks predicted by by white hat researchers (See: Do you know what's leaking out of your browser?

SHARE:
TOPICS: Security, Browser
6

Virus hunters at Symantec have stumbled upon a malicious server using an attack framework that intelligently chooses exploits based on the client's browser.

This is the first sign of the type of reconnaissance attacks predicted by by white hat researchers (See: Do you know what's leaking out of your browser?) and signals a new level of sophistication in the exploit packs powering drive-by malware downloads.

Symantec virus analyst Darren Kemp said the malicious server (which is currently up and running) was discovered by one of the company's DeepSight Honeypot. The server is hosting exploits for several several high-profile vulnerabilities, including the Windows animated cursor (.ani) flaw patched by Microsoft earlier this year.

Here's the blow-by-blow of the attack:

> Upon connecting to the malicious site, an immediate attempt is made to exploit the moldy old MDAC RDS.Dataspace ActiveX control vulnerability.

> If that exploit fails, the framework uses a JavaScript function to perform rudimentary browser detection. If Internet Explorer is detected, the target is redirected to a page hosting an animated cursor exploit.

> If Mozilla Firefox is detected, the victim is redirected to a separate page hosting an embedded Apple QuickTime exploit.

The QuickTime exploit takes aim at the TRSP URI remote buffer overflow vulnerability that was first discussed on the MoAB (Month of Apple Bugs) project in January, 2007.

"Interestingly, no obfuscation tricks are used to try to bypass IDS/IPS systems. This is particularly unusual for these types of attacks," Kemp said. However, he noted that some of the exploits are using encoded payloads.

The reconnaissance element of this attack -- which is different from the MPack drive-bys earlier this month -- increases the reliability of these drive-by downloads which typically fire exploits at victims, regardless of whether a vulnerability exists.

In this case, the exploit framework is deliberate about firing attacks with a higher success rate.

In addition to the MDAC, .ani and QuickTime vulnerabilities, the framework includes exploits for a Sun Java RunTime Environment GIF images buffer overflow.

Kemp also notes that the exploit framework is still a work-in-progress:

The code contains references to class identifiers for IncrediMail and Yahoo! Instant Messenger ActiveX controls for which high-profile exploits were released recently. Additionally, a commented-out line of code contains a list of keywords associated with recent vulnerabilities and various anti-virus products.

Although these parts are not fully implemented, the presence of this information suggests that this framework is undergoing continuous development. Exploits for these issues will likely be added in the near future.

The standard advice to avoid these drive-bys apply: Make sure your Windows machine is fully updated with patches -- from Microsoft and applicable application vendors. A good place to start is the Secunia Software Inspector, a tool that scans and pinpoints weak spots on a Windows computer.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • What does it try if you are using Opera?

    Hopefully it doesn't know / care about Opera due to its relatively small market share!
    Scrat
    • Java

      Java exploits don't care what browser you're running.
      toadlife
    • Opera?

      It seems to me that Opera (a nice browser) uses Explorer for it's engine. Any corrections on this?
      aussiedawg
      • IT uses both the . . .

        Explorer engine and the Gecko engine to browse with, from my understanding. It can mask itself as IE for those Websites that are set up to only deal with it, otherwise it relies on the gecko engine (I may be wrong on this, it's been a while since I seen the info about it). You should be able to find out more at Opera's website . . .
        JLHenry
        • My mistake . . .

          I was thinking about the Netscape browser from a couple of years ago . . .
          JLHenry
  • Every time I think I know everything...

    I get introduced to another tool, thanks so much for mentioning that Inspector tool, it will come in real handy when optimizing other people's machines.

    Time for a Flash and Java update myself...
    BillyG_n_SC