Amnesty International Site Serving Java Exploit

Discussion in 'malware problems & news' started by ronjor, Dec 23, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I checked out the site in Opera, and a Fraud Warning popped up:

    opera-fraud2.gif

    Using IE8, no exploit is triggered, and there is no longer an i-frame in the code, so it apparently has been cleaned up.

    The blog title includes "site serving java exploit."

    And the first paragraph states,

    But the second paragraph has,

    So, which site serves up the java exploit/malware?

    This brings up an old complaint of mine. Years ago, "serving up an exploit" referred to a server compromised to load the malware directly. This could be done by compromised FTP, or by an insider placing the malware on the server, the latter being fairly common at universities and colleges in years past.

    Now, this phrase includes any code compromise, such as SQL injection or [in this case] i-frame, which redirects to a site that actually serves up the malware payload.

    I wish for the former distinction - it's clearer in its analysis, and keeps things tidy!


    ----
    rich
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Sorry for going slightly off-topic but just wondering why I get this when trying to go to ronjor's link
     

    Attached Files:

  4. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    This just looks like a parsing error from I assume Opera. The site you are connected to is indeed https://krebsonsecurity.com and the certificate is a valid SSL Server Certificate.
     
  5. wat0114

    wat0114 Guest

    IE9 displays an error as well...
     

    Attached Files:

  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Could it be because the content of the website isn't fully secured? I get a red padlock when visiting it, because it includes content in http.
     
  7. wat0114

    wat0114 Guest

    No I don't think so. In my case the first warning I get is "Only secure content is displayed". The certificate error warning is another, different warning. The site is a mix of secured and unsecured content, thus the first warning, but the certificate warning is covered by a different policy check.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I think you are correct.

    Looking at the krebs site in IE8 I get several messages:

    krebs.gif

    If I click Yes to display only secured stuff, then I get the certificate error:

    krebs2.gif

    If I allow, secured content is displayed. Missing are the RSS feed subscribe message, and many images, including this one:

    http://krebsonsecurity.com/wp-content/uploads/2011/12/ai.png


    Reloading the page in IE8, if I select to view all content, then everything including the images loads.


    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.