Out of Band Patch and Prevalent Client Side Exploitation

As out-of-band patches are released today, we are not yet seeing memory corruption attacks targeting these newly patched vulnerabilities that effect Internet Explorer 6,7, and 8. Nonetheless, be sure to visit the Microsoft updates site and patch your system soon.

Instead, ThreatFire continues to prevent prevalent attacks from malicious pages like those currently hosted on cxim-way. cn, where javascript identifies third party plugins on the system and attacks the user’s system accordingly. Pseudocode here:

while name = navigator.plugins[i].name

if((name.indexOf(“Adobe Acrobat”) != -1) || (name.indexOf(“Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(“Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(“Flash”) != -1) then iframe src=”cache/flash.swf

The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into:

ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>