Drive-by cache attack silently loads malware into the browser cache
By Ryan Cloutier, Contributor
Researchers at Armorize Technologies have discovered a more sophisticated drive-by download attack that uses zero-day vulnerabilities and a technique designed to dupe signature-based antivirus.
Wayne Huang, founder and CEO of Armorize issued a report outlining the new attack, called drive-by cache, last weekend. The firm identified the attack taking place on a legitimate human rights website.
After caching the malware, the exploit and shell code are executed before the malware is finally executed as the final step. Huang and his team have dubbed this new type of attack drive-by cache and identified it on an Amnesty International website using the recently patched flash zero-day as the exploit.
The Armorize Team even found abnormal detection rates for the display.swf file, which contains the Flash exploit code.
“When we submitted the swf file to VirusTotal, 0 out of 42 antivirus vendors detected this exploit,” writes Huang on the Armorize blog. “As for newsvine.jp2 (swf.exe), we got 1/42 on VirusTotal (report is here). Only Microsoft detected this backdoor.”
The full Armorize report, including transcripts of the malicious code can be viewed here: http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html