Trojan Distributed in New Mass Injection Attack via Java Downloader

[Malcontent]

http://news.softpedia.com/news/Troja...r-174971.shtml

Quote:

Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.

According to Denis Sinegubko, the creator of the Unmask Parasites Web scanner, the malicious code is added at the end of HTML pages on compromised websites and takes the form of an obfuscated JavaScript function.

When parsed by the browser, this function adds a rogue IFrame to the HTML document, which loads a new.htm page from aubreyserr.com, medien-verlag.de or yennicq.be.

According to statistics from Google's Safe Browsing service, around 2,000 websites link to these domains, giving a rough estimation of the attack's impact so far.

The page called by the IFrame loads a Hidden.jar applet deceptively titled "Java Update." This is a Java OpenConnection-type downloader whose only purpose is to download and execute a file called host.exe.

The three domains serving the malware are actually legitimate, but their corresponding websites have been compromised.

[Searching_ _ _]

Quote:

A-ha! If you don't have any zero-days, you can always go back to exploiting the human! This is independent of the JRE version used - with JRE default settings, even on JRE1.6-23, all the user has to do is click "Run" to get owned. The one small improvement is that the latest JREs show "Publisher: (NOT VERIFIED) Java Sun" in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click "Run" anyway ...

http://isc.sans.edu/diary.html?storyid=10168