The most common type of malware seen in Blackhat spam SEO is the fake antivirus. But I also see other types of exploits from time to time. This week, the same malicious page came up on different domains: 4rukel.cz.cc, 4lofs.tk, 1polidsf.co.cc, 1barede.co.cc, 3timesto.tk, 4greaix.cz.cc, 4krudi.cz.cc, etc.
This page is interesting because it uses exploits rather than social engineering to install the malicious code. Below are the details of the exploits / malicious code.
|Original malicious code|
HTML tag. It is retrieved and executed later with code like this:
Like many malicious pages, several exploits are included on this page:
- 2 malicious Java applets, using different techniques for Internet Explorer and Firefox
- PDF exploit
- Quicktime '_Marshaled_pUnk' Remote Code Execution Vulnerability
- Heap spray attack
- Internet Explorer MDAC exploit
- Internet Explorer "iepeers.dll" exploit
- 3 Flash exploits
|Part of the code for the Java exploit|
I believe these exploits come from different sources because the coding style of the various functions varies greatly.
This malicious page tries the different exploits until one is successful. Users need to make sure they keep both their browser and their plugins up to date.