Alert: Zero day profiteering


The following paper provides a view on how the potentially unwanted software business affiliates interact, provides details on installation methods, code used, propagation and installation statistics, and some of the methods used to help companies who do this make money.

Starting in mid December, 2005 we started investigating several website that were using browser exploits to download and run code on end-users machines without any end-user knowledge. These sites were not just using older Internet Explorer vulnerabilities but were also utilizing a recent zero-day vulnerability that at that time had no fix for it (this was the window(open) MS IE vulnerability. After tracing the code we discovered an entity called Exfol software that was a registered company in Vanuatu, in the South Pacific and who had ties to the following other entities (from their licensing agreement). As of this week the same sites are using the current MWF zero-day exploit that has no patch available in order to install their affiliates programs. The code is placed within IFRAMES on websites. WebsenseŽ - Security Labs Alert: Zero-day profiteering

Linked by shanmuga Saturday, 31st December 2005 6:14AM