SpeedTest.net Pushed Java Exploit

SpeedTest.net, a free service that tests the performance of Broadband connections, was compromised and made to serve malware, according to security vendor Invincea. Good write up:

http://www.invincea.com/2013/02/pop...mised-by-exploitdrive-by-stopped-by-invincea/

 

I've used SpeedTest.net and so I was curious as to what would have happened had I connected to this site during the period in which it hosted the malicious code. From the article:

As with most exploits, the legitimate site does not host the malware executables; rather, the site is compromised with code to redirect the user.

OK, the exploit would fail at this point. Although SpeedTest.net doesn't require the Java Plug-in, even if it did and I had that site whitelisted for Java, upon redirection to a different site not whitelisted, the code exploiting Java would not run.

I'll pretend the Plug-in was enabled to see what else might happen.

I've tested in the past that the firewall can alert to any attempt by unauthorized programs (java.exe or javaw.exe) to connect out:

I've also tested in the past that if executables already installed are whitelisted, no others can install/run (or be loaded, in this case):

Very true indeed.


----
rich

 

I just did this test sometime last week with no problem must of been compromised very recent but I don't have java - ever.

 

I did a test 2 days ago. But I don't have Java installed.
Even if the sites claims that it requires Java to be installed, the test went just fine. IDK if it used the Flash plugin instead to function properly.

 

The site requires both Javascript and the Flash Plug-in to work. If one or both are disabled, an error message appears:



Here is where whitelisting Javascript either within the browser, or using NoScript, lets me down.

Looking at the exploit analysis in the article, the exploit code injected to the site uses Javascript.

If I have Javascript disabled, I need to enable it to use the site. When I do that, it also lets the exploit code run and redirects me to the site with the code that exploits the Java plug-in.

What happens after that depends on several things, as I showed in my first post.


----
rich

 

I visited SpeedTest.net just yesterday without any problems. I do have Adobe's Shockwave Flash and NoScript, the latter which I disabled for the test.

Luckily the site was fixed as per the above-mentioned article.

 

Last I checked it uses Java to try and test line quality, an entirely optional procedure.

 

I used the website a couple days ago also, did not notice anything weird.

 

Seems like even if you push Javascript and Flash white-listing aside, most folks would be 'saved' by not having Java plug-in enabled within the browser...

 

Ah I see, that's why the actual speed test went fine, but it skipped to test the line quality wich is fine by me as long as I don't need to be bothered with Java.