Unfortunately it was only a matter of time. Until today the latest Adobe 0-day vulnerability (CVE-2010-1297) had only been used in targeted attacks. That changed a few hours ago when we started seeing mass injections adding the following URL to thousands of pages around the world:
hxxp://26[REMOVED].in/y[REMOVED]o.js
As in the targeted attack scenario we blogged about two days ago our customers are protected by our Websense ACE technologywhereas the AV community still has not caught up. The attack itself uses five different files:
y[REMOVED]o.js - the initial file that loads up an invisible iframe to i[REMOVED].html, detection 0/41 (0.00%). Also loads a statistics file that is not malicious.
i[REMOVED].html - loads l[REMOVED]g.txt and a[REMOVED]ey.swf to launch the exploit, detection 3/40 (7.50%)
l[REMOVED]g.txt - contains the shellcode needed for the exploit to work, detection 0/40 (0.00%)
a[REMOVED]ey.swf - contains a Flash file with the exploit, detection 2/41 (4.88%)
l[REMOVED]g.exe - the actual malware that is downloaded, detection 24/41 (58.53%)
The attack is closely related to the hxxp://ww.robint.us/[REMOVED].js attack earlier this week that our friends at Sucuri blogged about, where the common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the new mass injection attack still have the robint.us code present. Below is a video of how the attack works and what happens on a user's computer.
Adobe released a patch for this vulnerability yesterday and we advise all users to download it immediately. Remember, if you use both Internet Explorer and another browser you have to do this twice. Once for IE and a second time for all other browsers.
'IT 보안소식' 카테고리의 다른 글
알약(ALYac), 동시다발적인 DDoS 공격을 수행하는 악성코드 주의! (2) | 2010.06.15 |
---|---|
소포스(Sophos), iPhone Application launched (0) | 2010.06.15 |
[SpamMail] "New discounts daily" 제목으로 전파 되는 메일 주의!! (6) | 2010.06.11 |
MSN 메신저로 전파되는 피싱사이트 - "나의 마지막 캠이다, 클릭해서 들어와라" (0) | 2010.06.09 |
제목이 없는 이메일 주의!! (2) | 2010.06.07 |
댓글