August 7th, 2008

CNET’s Clientside developer blog serving Adobe Flash exploits

Posted by Dancho Danchev @ 2:57 pm

Categories: Hackers, Browsers, Adobe, Flash, Arbitrary Code Execution, Anti Virus, Malware

Tags: Security, Cybercrime, CNET, Websense, Drive by Malware, Dancho Danchev

Yesterday, Websense Labs issued an alert regarding a compromised CNET blog, namely the Clientside developer blog which has been embedded with a malicious javascript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash’s player. Websense’s alert :

“Websense Security Labs ThreatSeeker Network has discovered that a CNET Networks site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host. The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.”

Interestingly, the second javascript obfuscation that they analyzed in the time of detection is different than the one I managed to obtain from a copy of the blog on the 2nd of August. And while it remains unknown for how long has the blog beed embedded with the javascript with the, this malware attack, and the rotating javascripts indicate a compromise compared to the massive SQL injections we’re seeing on daily basis. The embedded javascript code appears to have been removed. Deobfuscating the obfuscated javascript code, attempts to access the live exploit URL from a .info domain that is now down. Historically, the same domain has been used in blackhat search engine optimization campaigns - yet another example of underground multitasking, namely, abusing a single domain for several different fraudulent purposes.

This malware attack should not be treated as an isolated event, it’s the result of today’s major risk-forwarding process, where legitimate sites are starting to serve malware and exploits with an unprecedented growth. Multiple vendors are confirming the trends, for instance, in its latest report, ScanSafe reports 407 percent increase in compromise of legitimate websites,  followed by Sophos, according to which a full 79% of malware-hosting Web sites are legitimate ones, and with Websense stating that more than 75 percent of the Web sites it classified as malicious were actually legitimate ones.

Slowly, but inevitably, the “do no visit unknown and potentially harmful sites” security tip is starting to lose its charm.