New vulnerabilities in the Oracle’s Java Runtime Environment (JRE) have been recently discovered in the wild (first vulnerability originally reported by Fireeye, the second described by Esteban Guillardoy). The vulnerabilities targets newest version of JRE (1.7) and even with the latest update (JRE 1.7 update 6) your machine is in danger and easily exploitable. According to the Oracle’s patching cycle the patch is out of sight. So scary and Java again! But it is even worse!
The most successful exploit kit has quickly adopted these bugs which was predicted by the Brian Krebs earlier. So, all the current Blackhole campaigns use these exploits in order to infect victims. In addition, the exploitation is confirmed to work using Internet Explorer, Firefox, Opera, Google Chrome and also Safari on multiple platforms including Windows, Linux and MacOS.
Do you really think this can’t be worse? Oracle knew about these (and also other) vulnerabilities since April according to the Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
A new method of producing malicious PDF files has been discovered by the avast! Virus Lab team. The new method is more than a specific, patchable vulnerability; it is a trick that enables the makers of malicious PDF files to slide them past almost all AV scanners.
Overall, PDF specifications allow many different filters (such as ASCII85Decode, RunLengthDecode, ASCIIHexDecode, FlateDecode, …) to be used on raw data. In addition, there is no limit on the number of the filters used for a single data entry. Anyone can create valid PDF files where the data uses, for example, five different filters or five layers of the same filter. All of these features are based on extremely liberal specifications, a fact which allows bad guys to utilize malicious files in a way that does not allow antivirus scanners access to the real payload.
The new trick is based just on one filter, so it doesn’t sound exciting, does it? So what’s the reason for posting this blog post?
The filter used to encrypt text data is meant to be used only for black and white images. And apart from avast!, probably no other AV scanner is currently able to decode the payload because no other AV can detect those PDF files.
Various exploit packs are getting very popular these days. Using them is easy way to infect thousands computers around the world. Each exploit package is composed of several exploits (mostly actual vulnerabilities). Sometimes it is single file which contains all the exploits. More often, each exploit is represented by a different file. This technique seems to be more successful for attack, because antivirus software may detect only part of the exploit pack. The rest of the pack which is still undetected may serve new malware to users. This article describes the structure and activities of one of the more complex exploit pack.
Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective – to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services – mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example “analytics” -> “analitics” and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.
A new type of malware has been found today which uses the Google search engine database for hosting. Werner Klier (virus researcher from GData) pointed us to one very puzzling result of Google search. This result was detected as malware with avast! from the beginning. It is however a very interesting approach from malware creators – using Google to host their malware. Here I’ll describe how this infection works (virus researchers from GData, Ralf Benzmüller and Armin Büscher, reached the same conclusion).
In the previous month the World Wide Web was subject to one of the heaviest attacks since it first came into existence. Thousands of legitimate websites were attacked by the Trojan horses JS:Redirector-H and JS:Redirector-J, the aim of which was to infect millions of unsuspecting users. avast! was the first antivirus program to detect the infection right at the start and all users of avast! were protected throughout the duration of the attack. Now, more than a month after the attack was first detected, it is possible to assess the attack.