Security Bytes

Apr 20 2011   1:37PM GMT

New drive-by attack technique better evades signatures


Drive-by cache attack silently loads malware into the browser cache

By Ryan Cloutier, Contributor

Researchers at Armorize Technologies have discovered a more sophisticated drive-by download attack that uses zero-day vulnerabilities and a technique designed to dupe signature-based antivirus.

Wayne Huang, founder and CEO of Armorize issued a report outlining the new attack, called drive-by cache, last weekend. The firm identified the attack taking place on a legitimate human rights website.

The new attack method is similar to the drive-by download method currently popular in exploiting Flash and JavaScript vulnerabilities. In this type of attack, when the user accesses an infected page their browser is forced to make a connection to another URL, which is often a malware server. It then downloads a piece of malware to the victim’s hard disk. The attack takes place in the background without user intervention.

This type of attack is popular due to how difficult it is to detect using traditional, signature based antivirus software. These types of attacks happen due to flaws and exploits resident in browser or third party application codes such as flash and JavaScript. Therefore, they are easy to hide amongst garbage code.

The drive-by cache attack technique identified by Huang and his team works similarly to the aforementioned method but instead of downloading the malware from an external source, the malware is executed from within the browser’s cache directory. The file is downloaded into the cache as part of the loading of the infected page, usually disguised as a jpeg or JavaScript file, that the browser downloads to its cache as an attempt to enhance the user’s browsing experience.

After caching the malware, the exploit and shell code are executed before the malware is finally executed as the final step. Huang and his team have dubbed this new type of attack drive-by cache and identified it on an Amnesty International website using the recently patched flash zero-day as the exploit.
The Armorize Team even found abnormal detection rates for the display.swf file, which contains the Flash exploit code.

“When we submitted the swf file to VirusTotal, 0 out of 42 antivirus vendors detected this exploit,” writes Huang on the Armorize blog. “As for newsvine.jp2 (swf.exe), we got 1/42 on VirusTotal (report is here). Only Microsoft detected this backdoor.”

The full Armorize report, including transcripts of the malicious code can be viewed here:

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: