Malware authors always seem to closely monitor trends in Web security development in order to create a variety of browser-based attacks. Just to name a few, techniques such as code obfuscation, plug-in detection and affiliate management are often used.
This is why we, at M86 Security, weren’t surprised to see a malicious site which loads parts of its attack using AJAX (Asynchronous JavaScript and XML), a method for client-side code to asynchronously exchange data with web servers. The following attack was observed on a currently running server located in China, which is serving malware. So how does this work?
First, there’s a web-page, containing JavaScript code that fetches the other parts of the attack:
This code is very similar to code commonly used in so many web pages nowadays. The main difference is the extra parameters it accepts, which are used to “cut” certain parts from the accepted content, so it could be processed and executed as code later on.
Next, the returned code is used by the exploit. In this case, the code is shellcode:
It’s simple. Using the exact same technique, this web page can load various browser or plugin exploit attempts. In this specific case, the page loads a SWF file exploiting CVE-2010-1297. Other pages on this server are exploiting CVE-2010-0806 and CVE-2010-0249.
The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded. This provides an advantage which is also very useful for evading AV detection, since tiny bits of the attack can be loaded one at a time, thus making it very difficult to provide a signature.
Needless to say, M86 SWG customers are protected from such exploitation attempts.
Leave a reply
