NEWS FROM THE LAB - Friday, May 22, 2009

Malicious IFrame on Gadgetadvisor.com Posted by WebSecurity @ 06:35 GMT

Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase?

One of our Web Security Analysts discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website.

Gadget Advisor

If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability (CVE-2008-2992).

The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan.

Below are the readable codes contained within the malicious PDF file.

Gadget Advisor Exploit 1

Gadget Advisor Exploit 2

This attack is targeted against older, unpatched versions, as the latest Adobe updates have already fixed this problem. More information and the updates can be found on adobe.com at http://www.adobe.com/support/security/bulletins/apsb08-19.html.

Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding.

Updated to add: The website is now clean.