Wednesday, 5 November 2014


spin-redirects-to-rig-exploit-kit
Spin.com Redirects Users to RIG Exploit Kit


Symantec researchers observed a quite interesting exploit on 7th Oct 2014 on the most popular music website Spin.com. They got to know that the visitors are redirected to Rig Exploit Kit resulting with lots of malwares.

Later on Tuesday Ankit Singh, the associate threat analyst of Symantec explained that it seems that the issue has been resolved, and the users of U.S were the most infected.

Mr. Singh  explained that the attackers had injected an iframe into the website, which then redirected all the visitors to the Rig Exploit Kit’s  infect the page.

According to him, “On the landing page, Rig[Exploit Kit] checked the user’s computer for driver files associated with particular security software products to avoid detection, then looked for particular installed plugins and attempted to exploit them accordingly.”

Rig Exploit Kit took advantage of two Microsoft Internet Explorer use-after-free remote code execution(RCE) vulnerabilities, CVE-2013-2551 and CVE-2014-0322, as well as Adobe Flash Player RCE vulnerability CVE-2014-0497, Microsoft Silverlight Double Deference RCE vulnerability CVE-2013-0074, Oracle Java SE memory corruption vulnerability CVE-2013-2465, Oracle Java Se remote Java runtime environment code execution vulnerability CVE-2012-0507, and Microsoft Internet Explorer information disclosure vulnerability Cve-2013-7331 to inject these malwares.

After successful exploitation of the vulnerability, users computers download a XOR-encrypted payload.Rig Exploit Kit then drops a variety of malwares including Infostealer.Dyranges and Trojan.Zbot.  

Infostealer.Dyranges inspect the URL of the web browser for all banking details services  between the user and the websites and may steal the user names and passwords and  forward it to the remote locations, as stated by Mr.Singh.

Similarly the Trojan.Zbot gathers a lot of information of the victim computer, their names and passwords and also create a backdoor and later send those infos back to the  attacker.



0 comments:

Post a Comment