With more than 50 million users, and reportedly growing by 20,000 everyday, Kik has become one of the most popular messaging apps on the market. It is widely used as a messaging portal between those who want to connect privately off of other social media (Facebook, Twitter, and Instagram). But more importantly, it has become Read more…
At least once a week I see an otherwise intelligent teenager posting online that he or she is “psyched” about getting some “me time” alone at home. Sometimes it’s a photo on Instagram or a seemingly harmless little tweet on Twitter that says: “me and my bestie are chillin’ at home alone. I love my Read more…
Mobile technology is the new frontier for fraudsters. Most of us don’t protect our smartphones or tablets—and the private information they contain—anywhere near as well as we do our wallets and PCs (even though most us would rather lose our wallets vs. our smartphones). Even the simple safeguard of a four-digit password is too much Read more…
On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.
Code is injected into a jQuery script.
Figure 1. jQuery script with code injection
The malicious code is present in the jquery.min.js JavaScript.
Figure 2. Malicious code in jquery.min.js
The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.
Decodes to:
Figure 3. JavaScript decodes to a malicious iframe
The iframe redirects to a Redkit landing page:
The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.
Figure 4. Obfuscated URL received from “param value=”
The encoded string resolves to:
The JNLP script is used to deploy malicious JAR files on user’s computer.
Figure 5. JNLP script used to deploy malicious JAR files
The URI for the JAR files:
Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.
The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)
Figure 6. Java type confusion being exploited
The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.
Figure 7. Cipher scheme used to decode URL
Several pieces of malware are dropped in this attack:
Figure 8. Attack scenario
Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.
Recently, we have observed landing pages with the following URI patterns:
Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.
Redkit exploits several Java vulnerabilities:
Redkit is known to drop:
Symantec blocked approximately 150,000 Redkit attacks last month.
Figure 9. Geographical distribution of attacks
North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.
The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.
Symantec has the following protection in place to protect customers from this attack:
Intrusion prevention:
Antivirus:
Many internet users employ simple tricks when they want to find some interesting software or computer game. They type the desired program’s name into the search bar, add the word “download” and hit enter. In most cases, the first few results from the search engine usually belong to free download servers. I recently followed some […]
Revision Note: V14.0 (July 9, 2013): Added the 2857645 update to the Current Update section.
Summary: Microsoft is aware of vulnerabilities in Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Wind…
Today we announce the McAfee Labs report Dissecting Operation Troy: Cyberespionage in South Korea, the results of a four-month investigation into the events surrounding the cyberattack Dark Seoul, which occurred on March 20. The group behind Dark Seoul was involved in more than what previous reports have covered: DDoS attacks dating from 2009 and the Read more…
A new trend in Instagram is user generated beauty contests and it has to be one of the most concerning trends of 2013. Within a short space of time, Instagram has become so much more than a platform for sharing harmless snapshots of pets and holidays. Now there are online beauty contests that encourage teen Read more…
The AVAST forum is one of our largest and most active communities, with more than 300,000 users. The most active people on the forum are called Evangelists. They spend a great deal of their free time answering user questions and helping to sort out issues of all kinds. You can meet them on the AVAST […]
We recently came across an attack campaign which looked quite unusual compared to the standard attacks normally seen in the wild. This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far,…