Security researchers have discovered a new drive-by-download attack serving up a staggering 83 Windows executables to infect users, without any interaction required.
Cyphort explained in a blog post that in sandbox tests the HD video sharing site and forum www.49lou.com infected one of its “sacrificial” Windows machines running Internet Explorer.
Users are redirected first to another site – ji.ihualun.com – and then to kan.jieaojs.com where an exploit for CVE-2014-6332 is served to begin remote code execution.
The flaw in question is a Windows OLE automation array remote code execution vulnerability affecting multiple versions of the OS including Vista, Windows 7 and Windows Server 2012. It was patched by Microsoft back in November 2014, Cyphort said.
Of the 83 pieces of Windows EXE and DLL binaries served up by 49lou.com, only 37 were reported to Virus Total at the time of discovery – with 29 of them found to be malicious.
Cyphort’s ADT platform, on the other hand, found 42 to be malicious. Those not flagged included potentially unwanted programs and adware.
“If this site were visited by a lot of surfers from the United States, the discovery of it serving 83 binaries without user interaction or knowledge would probably have happened much earlier, and should have set off huge alarms, period,” said Cyphort.
“We suspect that the majority of the visitors to 49lou.com are not US-based and those endpoints are likely poorly protected.”
Indeed, the site’s audience mainly comes from China (89.2%), followed by Singapore (3%), the US (2.4%) and Taiwan (2%).
Cyphort claimed that poor patching practices often leave Windows users exposed to drive-by-infections in China.
It added the following observations:
“Chinese audiences, inside China in particular, seem to have a higher tolerance for gray-ware that offer users some utility on the one hand, but on the other, also perform additional functions on behalf of their originators without the users’ permission.
There is an ongoing battle amongst internet companies in China for control over users’ endpoints with the intention to monetize these endpoints; while advertisement remains a significant way of monetization, many have expanded to installation of gray-ware in order to further move up the supply chain.”
Cyphort urged users to keep up-to-date with patches, and be extra vigilant visiting sites “with busy offerings and pop-ups,” while advising enterprises to adopt a “continuous monitoring, diagnostics and mitigation approach.”