Wednesday, December 28, 2005
New Java exploit site in the Ukraine
Every day I come across new sites hosting exploits and it's always tough to tell if it's something new or just a rehash of an old exploit.
Here are some web access logs I came across today from a squid proxy server showing a site using java to exploit a client and force it to download a malware executable. I have seen a number of java related exploits lately including one I'll be writing about soon that downloads and installs a Windows rootkit.
By the way this site is also in the Internet Storm Centers "Most Hated IP Address of 2005" list.
Warning: Do not click on these links, they are bad. You will get infected with something. I have broken them by putting an underscore in the URL.
One of the best ways to prevent this type of infection is to block executables. It is pretty straightforward and offers a lot of benefit; without the ability to download executable files like (exe|com|pif|scr) many exploits will fail. Of course any clever malware author can easily circumvent this using a number of techniques. This technique is very useful for protecting a large number of users from common html based malware.
Here are some web access logs I came across today from a squid proxy server showing a site using java to exploit a client and force it to download a malware executable. I have seen a number of java related exploits lately including one I'll be writing about soon that downloads and installs a Windows rootkit.
By the way this site is also in the Internet Storm Centers "Most Hated IP Address of 2005" list.
Warning: Do not click on these links, they are bad. You will get infected with something. I have broken them by putting an underscore in the URL.
GET http://link_schain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/tp/? - DIRECT/195.225.177.21
GET http://full_chain.net/psg/index.php- DIRECT/195.225.177.21
GET http://full_chain.net/psg/Anima.class - DIRECT/195.225.177.21
GET http://full_chain.net/psg/omfg.class - DIRECT/195.225.177.21
GET http://full_chain.net/psg/psj.exe - DIRECT/195.225.177.21
GET http://link_schain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/tp/? - DIRECT/195.225.177.21
One of the best ways to prevent this type of infection is to block executables. It is pretty straightforward and offers a lot of benefit; without the ability to download executable files like (exe|com|pif|scr) many exploits will fail. Of course any clever malware author can easily circumvent this using a number of techniques. This technique is very useful for protecting a large number of users from common html based malware.
Subscribe to Posts [Atom]