New Java exploit site in the Ukraine

Every day I come across new sites hosting exploits and it's always tough to tell if it's something new or just a rehash of an old exploit.

Here are some web access logs I came across today from a squid proxy server showing a site using java to exploit a client and force it to download a malware executable. I have seen a number of java related exploits lately including one I'll be writing about soon that downloads and installs a Windows rootkit.

By the way this site is also in the Internet Storm Centers "Most Hated IP Address of 2005" list.

Warning: Do not click on these links, they are bad. You will get infected with something. I have broken them by putting an underscore in the URL.

GET http://link_schain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/tp/? - DIRECT/195.225.177.21
GET http://full_chain.net/psg/index.php- DIRECT/195.225.177.21
GET http://full_chain.net/psg/Anima.class - DIRECT/195.225.177.21
GET http://full_chain.net/psg/omfg.class - DIRECT/195.225.177.21
GET http://full_chain.net/psg/psj.exe - DIRECT/195.225.177.21
GET http://link_schain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/? - DIRECT/195.225.177.21
GET http://clean_chain.net/fr/tp/? - DIRECT/195.225.177.21

One of the best ways to prevent this type of infection is to block executables. It is pretty straightforward and offers a lot of benefit; without the ability to download executable files like (exe|com|pif|scr) many exploits will fail. Of course any clever malware author can easily circumvent this using a number of techniques. This technique is very useful for protecting a large number of users from common html based malware.