New Fast-flux Botnet Using Browser Specific exploits to Attack Victims

News

Contributed by: Nono Gwabe
Date: January 27, 2009

	6 Vote 0	New Fast-flux Botnet Using Browser Specific exploits to Attack Victims

AVG's Chief Research Officer, Roger Thompson, wrote a blog about a new discovery a security guy at the IRS and security consultant, Nick FitzGerald, made this weekend. A new fast flux botnet was discovered dishing out exploits specifically suited for the browser version of each victim.

Fast-flux botnets are botnets that utilize DNS technology to conceal phishing and malware originating sites behind a constantly rotating network of infected zombie computers serving as proxies for malicious sites. This technique has been in existence for a while and can be found in botnets such as Storm.

A Trusteer research paper issued in December last year, revealed another form of phishing attack that utilizes the same browser specific attack technique that this fast-flux botnet uses. 'In-session phishing' is what it is called, and according to Wikipedia it relies on one web browsing sessions ability to detect the presence of another session on the same web browser. Then a pop-up window is launched that appears to have been opened from the targeted session. The user then assumes that this pop-up window is part of the targeted session and continues to fill in his/her sensitive information which the hacker then steals in the same manner as with other phishing attacks.

According to Thompson, the new botnet generates different types of exploits for Internet Explorer, Chrome, Firefox, Safari and Opera. Basically, if your are using Firefox the botnet will attack with a number of common Firefox exploits. Thompson mentioned that there is no reason for alarm yet as the exploit used here is nothing new. If your computer is patched then you are safe.

Thompson also believes that the exploit might have been taken from a decrypted Neosploit, which is a web-based exploit framework. Further research found that malevolent PDF files that take advantage of vulnerabilities in Adobe Acrobat and Reader are generated for Chrome and Safari users. The encryption technique used is said to be new and is hooked into the html, most probably in order to avoid decryption emulators.

A successful exploit execution leads to the installation of a "fairly new" rootkit. The rootkit was found to originate form Russia and is detected by AVG as an 'Agent Variant'. We must commend the security community for discovering this threat and further emphasizing the need for updated security software on every PC.

Resources:
In Session Phishing Attacks
Roger Thompson's blog
Security Teamwork Unearths Versatile Attack Network

User Comments

Top 10 Malware Threats

1.	Security Monitor
2.	Win 7 Home Security
3.	AV Protection 2012
4.	Cloud AV 2012
5.	System Fix
6.	Privacy Protection
7.	System Security 2012
8.	Duqu Trojan
9.	Windows Monitor
10.	PC Shield 2012

Most searched files

1.	vprot.exe
2.	GameXNGO.exe
3.	setup.ovr
4.	RosebudMUI.msi
5.	fp_ax_cab_installer.exe
6.	phoenix.exe
7.	InfDefaultInstall.exe
8.	AcroPro.msi
9.	FlashUtil11c_ActiveX.exe
10.	WinBootstrapper.msi

Newest files

1.	FlashUtil32_11_2_202_228_ActiveX.exe
2.	sisnicxp.sys
3.	NTIDrvr.sys
4.	int15.sys
5.	anbmServ.exe
6.	E_FATIADA.EXE
7.	HP_IZE.exe
8.	viaagp1.sys
9.	SISAGPX.sys
10.	R8139n51.SYS

Home Tips Downloads Videos Files Virus list Vulnerabilities

Home > Identity Theft Online > New Fast-flux Botnet Using Browser Specific exploits to Attack Victims