tssci security

Exploit kit dissected

Alex Rice of Websense Security Labs, dissected "Web-Attacker", one of the most popular exploit kits on the web. He recently got a hold of the source code and takes us step by step through it all. For those who do not know how Web-Attacker works, here's a brief scenario:

  1. User visits a compromised webpage containing a hidden iframe that loads go.php.
  2. go.php redirects to ie0609.cgi?homepage, which redirects to demo.php.
  3. Obfuscated JavaScript from demo.php determines which exploit should be attempted and redirects to ie0609.cgi?type=<EXPLOIT_TYPE>.
  4. Based on the value of the type parameter, ie0609.cgi returns the requested exploit. Each exploit differs but attempts the same action: execute the data downloaded from ie0609.cgi?exploit=<EXPLOIT_TYPE>.
  5. With the exploit parameter, ie0609.cgi returns the malicious binary to be executed. The attack is complete.

Be sure to check out the blog post and see how this simple, yet nasty little Perl script works.

Posted by Marcin on Saturday, November 11, 2006 in Security.

blog comments powered by Disqus
blog comments powered by Disqus