Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28525
  • Total Topics: 8240
  • Online Today: 825
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Attacks spread malware with AppleInsider (ask5.eu, lawyer.com, news.com.au)  (Read 2927 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Malware purveyors are exploiting web vulnerabilities in appleinsider.com, lawyer.com, news.com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens.

The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites. That's something application security expert Mike Geide doesn't see often. As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected.

"What's interesting ... is the fact that it's embedding iframes to redirect people," Geide, who is a senior security researcher at Zscaler, told The Register. "Typically, cross-site scripting is just that - it embeds script tags so it will embed javascript to run."

The malicious links are blasted out on web forums and typically look something like:

Code: [Select]
hxxp://lawyers.com/find_a_lawyer/content_search/results.php?sCHRISTINA%AGUILERA%20ANOREXIC%20PICS%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E


The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5 .eu (a space has been added for your protection). A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.

While it's not the most convincing attack we've ever seen, there's nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that's now circulating in the wild.

The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks.

More about the attack is available from the Zscaler blog here: http://research.zscaler.com/2009/12/xss-embedded-iframes.html

(Register)

Samker's Computer Forum - SCforum.info





 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising