Amnesty International Site Serving Java Exploit

Discussion in 'malware problems & news' started by ronjor, Dec 23, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,910
    Location:
    Texas
    ronjor, Dec 23, 2011
    #1
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I checked out the site in Opera, and a Fraud Warning popped up:

    opera-fraud2.gif

    Using IE8, no exploit is triggered, and there is no longer an i-frame in the code, so it apparently has been cleaned up.

    The blog title includes "site serving java exploit."

    And the first paragraph states,

    But the second paragraph has,

    So, which site serves up the java exploit/malware?

    This brings up an old complaint of mine. Years ago, "serving up an exploit" referred to a server compromised to load the malware directly. This could be done by compromised FTP, or by an insider placing the malware on the server, the latter being fairly common at universities and colleges in years past.

    Now, this phrase includes any code compromise, such as SQL injection or [in this case] i-frame, which redirects to a site that actually serves up the malware payload.

    I wish for the former distinction - it's clearer in its analysis, and keeps things tidy!


    ----
    rich
     
    Rmus, Dec 23, 2011
    #2
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    24,076
    Location:
    UK
    Sorry for going slightly off-topic but just wondering why I get this when trying to go to ronjor's link
     

    Attached Files:

    stapp, Dec 23, 2011
    #3
  4. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    This just looks like a parsing error from I assume Opera. The site you are connected to is indeed https://krebsonsecurity.com and the certificate is a valid SSL Server Certificate.
     
    stackz, Dec 24, 2011
    #4
  5. wat0114

    wat0114 Guest

    IE9 displays an error as well...
     

    Attached Files:

    wat0114, Dec 26, 2011
    #5
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Could it be because the content of the website isn't fully secured? I get a red padlock when visiting it, because it includes content in http.
     
    m00nbl00d, Dec 26, 2011
    #6
  7. wat0114

    wat0114 Guest

    No I don't think so. In my case the first warning I get is "Only secure content is displayed". The certificate error warning is another, different warning. The site is a mix of secured and unsecured content, thus the first warning, but the certificate warning is covered by a different policy check.
     
    wat0114, Dec 26, 2011
    #7
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I think you are correct.

    Looking at the krebs site in IE8 I get several messages:

    krebs.gif

    If I click Yes to display only secured stuff, then I get the certificate error:

    krebs2.gif

    If I allow, secured content is displayed. Missing are the RSS feed subscribe message, and many images, including this one:

    http://krebsonsecurity.com/wp-content/uploads/2011/12/ai.png


    Reloading the page in IE8, if I select to view all content, then everything including the images loads.


    ----
    rich
     
    Rmus, Dec 26, 2011
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...