Unique 'fileless' bot exploit discovered
Security giant Kaspersky Lab has uncovered a unique infection method used to attack visitors to a number of popular Russian news Web sites that use the AdFox teaser system.
“We are dealing with a unique attack. A teaser network used by cyber criminals is one of the most effective ways to install a malicious code, as many popular resources contain links to it,” says Aleks Gostev, Kaspersky Lab's chief security expert.
He says the attack works by secretly redirecting users' browsers to a malicious site containing a Java exploit, while they are downloading a 'news teaser'.
While 'drive-by' attacks are not new, this attack is unique, as users are infected merely by visiting the Web site; they need not download or click on anything. In addition, unlike standard drive-by attacks, the malware was not loaded to the hard drive, but appeared only in the operating memory of the PC, making an anti-virus solution less effective in detecting it.
Once installed, the malware acts as a 'bot' and checks users' browsing history to see if they use Internet banking, and if they do, it installs the banking Trojan 'Lurk' to steal login credentials.
So far, the only users who have been infected are Russians, but Kaspersky says there is no reason why this attack vector could not be equally effective in other countries, as the exploit can be distributed via similar foreign banner and teaser networks.
According to Kaspersky, the AdFox network was not the source of the infection. “News banners were modified by adding links to the malicious Web site code via the hacked account of an AdFox client.”
This enabled criminals to attack not merely the visitors to a single news site, but also to other resources using the same system, resulting in tens of thousands of victims potentially being attacked.
Gostev says it's highly likely that the Lurk Trojan is not the only malware that can be used for these purposes.
Kaspersky says the only reliable protection is the timely installation of updates. In this instance, the company recommends removing the CVE-2011-3544 Java vulnerability, and installing an Oracle patch - which can be downloaded here.