The malicious code, found on the home page, is injected into a table as a Javascript ‘document.write’ function, with an iFrame containing the exploit URL obfuscated as a decimal-encoded string. The result is that the user is covertly redirected to the exploit while the legitimate page is still loading.
The obfuscated encoding is not the only evasion technique used by the attacker. The exploit file, test.jar (a Java ARchive file) contains both the exploit and a large compressed file (104 MB when decompressed) containing a huge number of ‘a’ characters. “We think that this is a technique that attempts to evade automated malware analysis technologies,” writes Websense, “since some of those systems typically avoid downloading the contents of big files, because malware tends to be small in size.”
The exploit itself uses the same Java vulnerability behind the recent rash of Flashback infections. If successful it installs a variant of Poison Ivy, a remote administration tool (RAT) that allows the command and control server to take complete remote control of the infected computer.
“We have contacted the Webmaster of the website,” said Websense, “and notified them on the issue and the location of the injected code on the website, so far, we haven't heard back from them.” At the time of writing this report, VirusTotal reported just one out of 24 scanning tools returned the URL as a ‘malware site’. It would be wise to treat with caution. However, since the delivered malware is no longer new, most AV products can detect and remove it – and of course the latest versions of Java are patched against the vulnerability.
What isn’t certain, however, is whether INSS was specifically targeted by hackers, or just caught in a wider dragnet. “We don't have any information on where the threat originated,” Sophos senior technology consultant Graham Cluley told Infosecurity, “or whether it was targeted against the Israeli website. However, we do see attacks like this on many other websites, so it is very possible that there is a chance that it was affected.” Websense doesn’t believe “that this latest infection is part of an organized mass infection campaign,” but similarly “can't determine that the infection of this website with exploit code is part of a targeted attack.”