Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
Latest Victim Of An Exploit Kit - Lenovo, India
Security Research

Latest Victim Of An Exploit Kit - Lenovo, India

image
THREATLABZ
May 03, 2011 - 2 分で読了
Security Insights

コンテンツ

  1. Article
  2. おすすめのブログ
 
 
 
Update 05/04/11 @ 7.49pm IST: Thanks to feedback from an Anonymous blog poster, I've done some further investigation and this attack actually appears to be tied to the Incognito Exploit kit as opposed to the Blackhole Exploit kit.
 
Back in February, I posted a blog about the rising prevalence of attacks involving Blackhole exploit kits. We received numerous comments and emails about the same threat being found on various websites from our blog readers. The toolkit has been linked to from numerous compromised websites, which in turn have victimized a number of their visitors. Attackers are injecting malicious iframes into the legitimate sites, which in turn redirect to malicious websites hosting the Blackhole Incognito exploit kit. We have observed and identified such compromised sites due to Zscaler’s advanced security features in our solution. The latest victim is Lenovo, India whose website for product warranties has been compromised, redirecting visitors silently to the Blackhole Incognito exploit kit. Here is the screenshot of the home page of the compromised Lenovo site:
 
Image
 
One of the pages on the site, http://www.lenovowarranty.co.in/regspacks2.asp, is infected with a malicious iframe. Here is the screenshot of that page:
ImageIf you look at the source of page, you will find the malicious iframe injected into the source code as shown below:
 
Image
The malicious iframe points to the site “hxxp://nemohuildiin.ru/tds/go.php?sid=1". This malicious site actually redirects the user to another malicious website hosting the Blackhole Incognito exploit kit. Here is the packet capture when you visit the mentioned malicious site:
 
ImageObserving the “Location” field in the HTTP header, we see the user is being redirected to another malicious website hosting the malicious toolkit, a common pattern that we’ve seen in the past. The malicious website “hxxp://andromari.cx.cc” returns obfuscated malicious JavaScript code to exploit different vulnerabilities and downloads malicious binaries. Here is the screenshot of the malicious JavaScript sent by this kit
 
ImageI am not going into the details of the exploits themselves as they are related to the same vulnerabilities and toolkit, which I have discussed in an earlier blog. The malicious site hosting the Blackhole Incognito exploit kit only attempts to exploit the victim on their first visit. If you revisit this site, it will either redirect you to Google or simply return a “Page not found” error.

This post further supports my claim in an earlier blog, which states that “Blackhole exploit kits are rising”.

Blackhole is Exploit kits are definitely a Bad Hole bad for web security.


Umesh
 
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

vote yes
はい
vote no
いいえ

免責事項:このブログは、Zscalerが情報提供のみを目的として作成したものであり、「現状のまま」提供されています。記載された内容の正確性、完全性、信頼性については一切保証されません。Zscalerは、ブログ内の情報の誤りや欠如、またはその情報に基づいて行われるいかなる行為に関して一切の責任を負いません。また、ブログ内でリンクされているサードパーティーのWebサイトおよびリソースは、利便性のみを目的として提供されており、その内容や運用についても一切の責任を負いません。すべての内容は予告なく変更される場合があります。このブログにアクセスすることで、これらの条件に同意し、情報の確認および使用は自己責任で行うことを理解したものとみなされます。

おすすめのブログ

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

投稿を読む
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

投稿を読む
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

投稿を読む
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

投稿を読む

01 / 02

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。