[ Security Alert ] 26 October, 2010 13:42

   As we disclosed in "Security Alert 2010-10-11: Drive-by-download Using PDF Exploit to Download Malicious File", there are more and more sites suffered driver-by-download injection, and the hopping pages contains PDF exploits that leads to malicious program eventually.

  Here are two newly discovered attack paths.

[root]hxxp://www.professor.com.tw/ (PageRank:2)
 [script]hxxp://jabbawockeez.us/talk/indexu.php
  [pdf] hxxp://jabbawockeez.us/talk/indexu.php?s=QiVZTWyu&id=2 (CVE-2008-2992, CVE-2009-0927)
   [binary] hxxp://jabbawockeez.us/talk/indexu.php?id=10

[root]hxxp://arriesmould.com.tw/libraries/
 [script]hxxp://agalp.ro/modules/pathway.php
   [pdf] hxxp://agalp.ro/modules/pathway.php?s=XI0BaAdL&id=2
    [binary] hxxp://agalp.ro/modules/pathway.php?id=10

   The detection rate for first hopping site is  4/17 (24 %) (http://www.urlvoid.com/scan/jabbawockeez.us), while for the second one the detection rate is relatively low as 1/17 (6 %) (http://www.urlvoid.com/scan/agalp.ro)

   AegisLab WebGuard Database stops these two paths from 2010-10-25.

AegisLab

[ Security Alert ] 22 October, 2010 14:26

    With AegisLab intelligent malicious website analysis infrastructure, we found a new victim which is a domestic bio-tech company. Their web page is injected and leads visitor's browser can be exploited, and finally, a malicious program is downloaded. 

    The attack path is:

[root]hxxp://www.hopegenbio.com/upload/wenda.asp?h=/aooaozmv.html (PageRank: 2)
 [exp]hxxp://1022a4.3322.org:224/yy2/index.htm%28Exploit.Ie0dayCVE0806.a%29
  [virus]hxxp://99otg.3322.org:224/yy2/link.exe 

   The download virus has nice detection rate 33/43 (76.7%) in VT

   How ever, the URLs of exploits and download path has low detection rate in URLvoid, 1/17(6 %) and 2/17(12 %) respectively. ( http://www.urlvoid.com/scan/1022a4.3322.org , http://www.urlvoid.com/scan/99otg.3322.org

  The AegisLab WebGuard Database started to block these two IP address early from 2010-10-14.

AegisLab

[ Security Alert ] 11 October, 2010 13:23

    A publisher web site, www.waterstone.url.tw, is suffered by drive-by-download and the attack uses the PDF exploit to download a malicious file. The PDF exploit is classified as CVE- 2008-2992.

Attack Path: 
[root]http://www.waterstone.url.tw/ (PageRank:4)
 [script]http://aquatec.nl/nieuwsbrief/24.php
   [pdf] http://aquatec.nl/nieuwsbrief/24.php?s=T8rEBjlkT&id=2 (CVE-2008-2992)
     [binary] http://aquatec.nl/nieuwsbrief/24.php?id=10 

    The URL has low detection rate in URLvoid 2 /17 (12 %)  (http://www.urlvoid.com/scan/aquatec.nl )

By AegisLab