« BBC’s ‘Click’ breaks the law or does it?
The Return of the Hijacked Desktop »

Iframes, PDF exploits and RBN

March 18th, 2009

 Our honeypot caught several legit sites that were infected and pushing the same drive-by download. I decided to take a closer look.

Upon visiting the site, a PDF file will open (and crash) trying to run an executable exploiting an Acrobat Reader vulnerability.

costa11

 I dug into the source code of the infected page. Strangely the malicious (and obfuscated) javascript code appears twice. The first occurrence was being commented out (did the web admin try to fix it?) but the second one was still active and in clear text.

costa3

I took a closer look at the JavaScript… It’s all gibberish, so you have to use tools to make it readable. I used the free program Malzilla which revealed the culprit:

costa2

An ugly Iframe!!!

I checked this IP address and it is listed as part of the RBN (Russian Business Network). If you visit that IP, you will see even more obfuscation:

malzilla1 

Anyway, the PDF exploit can be opened with Notepad to reveal the malicious Javascript code: 

costa4

Most AV vendors already detect it:

costa5 

Jerome

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.