Virus hunters at Symantec have stumbled upon a malicious server using an attack framework that intelligently chooses exploits based on the client’s browser.
This is the first sign of the type of reconnaissance attacks predicted by by white hat researchers (See: Do you know what’s leaking out of your browser?) and signals a new level of sophistication in the exploit packs powering drive-by malware downloads.
Symantec virus analyst Darren Kemp said the malicious server (which is currently up and running) was discovered by one of the company’s DeepSight Honeypot. The server is hosting exploits for several several high-profile vulnerabilities, including the Windows animated cursor (.ani) flaw patched by Microsoft earlier this year.
Here’s the blow-by-blow of the attack:
> Upon connecting to the malicious site, an immediate attempt is made to exploit the moldy old MDAC RDS.Dataspace ActiveX control vulnerability.
> If that exploit fails, the framework uses a JavaScript function to perform rudimentary browser detection. If Internet Explorer is detected, the target is redirected to a page hosting an animated cursor exploit.
> If Mozilla Firefox is detected, the victim is redirected to a separate page hosting an embedded Apple QuickTime exploit.
The QuickTime exploit takes aim at the TRSP URI remote buffer overflow vulnerability that was first discussed on the MoAB (Month of Apple Bugs) project in January, 2007.
“Interestingly, no obfuscation tricks are used to try to bypass IDS/IPS systems. This is particularly unusual for these types of attacks,” Kemp said. However, he noted that some of the exploits are using encoded payloads.
The reconnaissance element of this attack — which is different from the MPack drive-bys earlier this month — increases the reliability of these drive-by downloads which typically fire exploits at victims, regardless of whether a vulnerability exists.
In this case, the exploit framework is deliberate about firing attacks with a higher success rate.
In addition to the MDAC, .ani and QuickTime vulnerabilities, the framework includes exploits for a Sun Java RunTime Environment GIF images buffer overflow.
Kemp also notes that the exploit framework is still a work-in-progress:
The code contains references to class identifiers for IncrediMail and Yahoo! Instant Messenger ActiveX controls for which high-profile exploits were released recently. Additionally, a commented-out line of code contains a list of keywords associated with recent vulnerabilities and various anti-virus products.
Although these parts are not fully implemented, the presence of this information suggests that this framework is undergoing continuous development. Exploits for these issues will likely be added in the near future.
The standard advice to avoid these drive-bys apply: Make sure your Windows machine is fully updated with patches — from Microsoft and applicable application vendors. A good place to start is the Secunia Software Inspector, a tool that scans and pinpoints weak spots on a Windows computer.
