Owned! How the heck!?@!, hrmmm Oh now I see.

August 6, 2008


An attack vector trend that is currently in vogue is exploiting legitimate websites such as www.cnn.com via SQLinjection attacks to plant hostile IFrames into the websites pages, somtimes all of them, that are invisible because their properties are 0x0 in dimension.  The content of these IFrames are highly obfuscated javascripts which bounce to other IFrames over and over and finally wind up at a site hosting a malicious webpage constructured to identify user agent settings (IE What browser you are using) and then run a version/product/platform/geographic region specific series of exploits against the users system which has unpatched vulnerabilities either in the OS/Browser or now the trend is in exploiting ancilliary applications such as Browser helper activeX objects, and file parsers such as flash, Jpeg, quicktime. 

Sometimes it takes a whole organization to set this up but there are entire packages that can enable this crimeware to work and even report (enterprise reporting style via digital dashboards back to the operator).  Fortunately there is a lot of competition now and access to these kits are getting easier.  They typically rely on PHP and other scripting languages with a typical database backend. 

When this whole enchilada works however you basically have organizations PWNing their own customers and facilitating the theft of their information.  Each victim that visits the site gets a nasty little downloaded piece of malware, mostly likely packed to get around their antivirus, injected into their explorer.exe process to evade firewalls, and opcode instructed via shellcode to do a reverse shell out of their organization or dump additional modular capabilities.  All in all its an ugly day. 

Some of these obfuscators are even commerical under the guise of intellectual property protection.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: