NEWS FROM THE LAB - Tuesday, May 8, 2012

Java Drive-by Generator Posted by Karmina @ 15:27 GMT

Ran across quite an interesting infection today. I visited a site that prompted me with a security warning about a "Microsoft" application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.

Google attachment

After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.

Cisco invite

The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.

Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.

The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.

iJava main

iJava also keeps track of infections. Below is the data from the infection mentioned above:

iJava 2ndp

Which shows that for this particular malware, the infection only started yesterday. So far there's only 83 visits to the Java drive-by link.

And thankfully, he's not very successful (knock on wood):

iJava stats

Updated to add: The number of visits has now increased to 122 with a 26% success rate. Since it's counting the number of visits, if a specific IP accessed the page twice it then counts it as two. The total unique IPs so far is 77 with 30% success rate.

Kaspersky's Kurt Baumgartner has pointed out that this rate can actually be considered pretty high for such kits.