Most malicious sites behind spam Search Engine Optimization (SEO) poisoning attacks lead to fake antivirus pages. The malicious sites rely on social engineering, tricking users into thinking their computer is infected and require user interaction to execute and install the malicious file, which is disguised as an anti-virus program.
Well hidden exploits
Over the past 3 days, we've seen some even more dangerous websites using Java exploits and Flash vulnerabilities. These malicious pages do not require any user interaction to infect users. They are also very difficult to detect - the exploits are hidden behind several layers of Javascript redirects and use obfuscation. Also, the attackers allow each IP address to receive the malicious page one time only. After a user or a security tool accesses the malicious domain, any subsequent requests coming from the same IP address get redirected to different, harmless pages. This makes post-infection analysis, and the use of security tools almost useless. You have to make sure that you hit the right page, the right way (correct headers, referer header, form data, etc.) the first time or the exploit will not be revealed. Popular online security scanners like JSunpack or Wepawet cannot be used since all requests to the malicious sites are done from the same IP address.
Java exploit
Mike reported a 300 percent increase of Java exploits last month. These new pages are very similar to what we saw before. A malicious JAR file is launched automatically through a Java ActiveX control vulnerability on Internet Explorer, or through the Java Quick Starter, which is installed silently on Firefox with a recent Java Plugin update. The malicious JAR files are not flagged by most antivirus vendors.
Like all spam SEO, the attack starts with legitimate sites being hacked. New pages are added to target popular search terms, in order to appear in the first few pages of a Google search. When a user clicks on spam SEO links, he actually gets redirected to a different URL such as hxxp://www.hutriken.com/nvu_y/hqpa_b_.php. This page checks to determine if the browser supports Java, and if so, sends the following form with automatically:
The next page (the 4th HTTP request) contains both inline obfuscated Javascript, and an external script (obfuscated as well). Once deobfuscated, the exploit is very simple - it invokes the ActiveX control or the Java Quick Starter with the URL of the malicious JAR file.
If the user, or the security tool, fails at any stage to have the appropriate prerequisites (lacking certain browser capabilities, multiple requests to same page, etc.), it gets redirected to http://google.com/.
Flash exploit
The flash exploit is not as well hidden as the Java exploit, and it is found on fewer links. It consists of a single page with obfuscated Javascript.
The exploit uses a heap spray technique via ActionScript. We've posted an extended analysis of this type of exploit back in December. Like the Java exploit, no user interaction is needed for the exploit to run.
-- Julien
