Sundown ?????????????????????? Internet Explorer ?????????
Sundown 悪用ツールキットは、CVE 2015-2444 の脆弱性に対する悪用コードをいち早く統合し、最近の水飲み場型攻撃に利用しています。
Read More
Sundown 悪用ツールキットは、CVE 2015-2444 の脆弱性に対する悪用コードをいち早く統合し、最近の水飲み場型攻撃に利用しています。
Read More
The Sundown exploit kit has been the first to integrate an exploit for the CVE 2015-2444 bug, using it in a recent watering-hole attack.Read More
Hacking Team で起きたデータ漏えいの余波が、一般ユーザーのオンラインでの安全性についても深刻な影響を及ぼしています。
Read More
Fallout from Hacking Team breach has serious online safety implications for the public.Read More
Adobe Flash Player で見つかった未確認のゼロデイ脆弱性が、Angler 悪用キットによってマルウェアをインストールするために悪用されています。
Read More
Esta vulnerabilidad está siendo utilizada por el Kit exploit Angler para instalar software malicioso.
Read More
Uma vulnerabilidade de dia zero não confirmada no Adobe Flash Player está sendo usada pelo kit de exploração Angler para instalar malware.
Read More
Adobe사가 아직 존재 여부를 확정하지 않은 Adobe Flash Player 제로데이 취약점이 Angler 익스플로잇 킷에 이용되어 악성 코드 설치
Read More
An unconfirmed zero-day vulnerability in Adobe Flash Player is being used by the Angler exploit kit to install malware.Read More
On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.
At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.
Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise
How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.
Figure 2. Injected iframe on compromised spin.com website
When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.
Figure 3. Rig EK searches for driver files used by security software products
The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:
Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).
Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:
Intrusion prevention
Antivirus