Most malicious sites behind spam Search Engine Optimization (SEO) poisoning attacks lead to fake antivirus pages. The malicious sites rely on social engineering, tricking users into thinking their computer is infected and require user interaction to execute and install the malicious file, which is disguised as an anti-virus program.Well hidden exploits
Over the past 3 days, we've seen some even more dangerous websites using Java exploits
. After a user or a security tool accesses the malicious domain, any subsequent requests coming from the same IP address get redirected to different, harmless pages. This makes post-infection analysis, and the use of security tools almost useless. You have to make sure that you hit the right page, the right way (correct headers, referer header, form data, etc.) the first time or the exploit will not be revealed. Popular online security scanners like JSunpack
cannot be used since all requests to the malicious sites are done from the same IP address.
Spam SEO Page leading to a Flash exploitJava exploit
Mike reported a 300 percent increase of Java exploits
last month. These new pages are very similar to what we saw before. A malicious JAR file is launched automatically through a Java ActiveX control vulnerability
on Internet Explorer, or through the Java Quick Starter
, which is installed silently on Firefox with a recent Java Plugin update. The malicious JAR files are not flagged by most antivirus vendors.
Like all spam SEO, the attack starts with legitimate sites being hacked. New pages are added to target popular search terms, in order to appear in the first few pages of a Google search. When a user clicks on spam SEO links, he actually gets redirected to a different URL such as hxxp://www.hutriken.com/nvu_y/hqpa_b_.php
. This page checks to determine if the browser supports Java, and if so, sends the following form with automatically:
Detection of Java capabilities
Deobfuscated java exploit code
If the user, or the security tool, fails at any stage to have the appropriate prerequisites (lacking certain browser capabilities, multiple requests to same page, etc.), it gets redirected to http://google.com/
Obfuscated Flash exploit
The exploit uses a heap spray technique via ActionScript. We've posted an extended analysis of this type of exploit back in December. Like the Java exploit, no user interaction is needed for the exploit to run.