From: http://www.bluecoat.com/blog/country-coded-malware
Late last week, we were tracking a spike in exploit server activity. The majority of traffic was being driven by compromised OpenX ad servers (sound familiar?)... This is most likely due to a critical security flaw in current and older versions of this software. (For details on the flaw, see here.)
An examination of the malicious JavaScript code injected by the compromised server shows that:
1. Cookies must be enabled for the browser to be relayed to the attack site. [Not too exciting. --C.L.]
2. If the user's language has a two-letter region code that is on a "safe" list, then the malicious iFrame that points to the attack site is NOT created. [But this is cool! --C.L.]
As the Bad Guys are normally indiscriminate in the selection of their victims, their decision to give some users a break merits further examination.
Language is often a key feature in tailoring an attack to potential victims. No sense showing a fake AV site in Russian to an English-speaker, or vice-versa. However, as this particular exploit server invisibly attempts to compromise the user's browser while they are busy looking at a legitimate site, language-tailoring does not seem to be the motivation in this case.
One variant of the conficker malware famously checked for a Ukrainian-language keyboard on the victim's computer, and refrained from infecting that system if it was found. The general presumption at the time was that they did this to keep the local police off their case -- it's always harder to catch and prosecute a computer criminal in another country. Again, that doesn't seem to be the case here, since the list is so large.
So we're open to suggestions!
Here's the list of "do not attack" countries:
ae UNITED ARAB EMIRATES
al ALBANIA
az AZERBAIJAN
ba BOSNIA AND HERZEGOVINA
be BELGIUM
bg BULGARIA
bo BOLIVIA
br BRAZIL
by BELARUS
ci COTE D'IVOIRE
cn CHINA
cr COSTA RICA
cz CZECH REPUBLIC
dk DENMARK
do DOMINICAN REPUBLIC
dz ALGERIA
ec ECUADOR
ee ESTONIA
eg EGYPT
ge GEORGIA
gf FRENCH GUIANA
gp GUADELOUPE
gr GREECE
gt GUATEMALA
hk HONG KONG
hr CROATIA
hu HUNGARY
id INDONESIA
il ISRAEL
iq IRAQ
ir IRAN
jo JORDAN
kw KUWAIT
lk SRI LANKA
lt LITHUANIA
lv LATVIA
ma MOROCCO
md MOLDOVA
mk MACEDONIA
mt MALTA
my MALAYSIA
om OMAN
pa PANAMA
pk PAKISTAN
pl POLAND
pr PUERTO RICO
ps PALESTINIAN TERRITORY
pt PORTUGAL
qa QATAR
re REUNION
ro ROMANIA
rs SERBIA
ru RUSSIAN FEDERATION
sa SAUDI ARABIA
si SLOVENIA
sk SLOVAKIA
sv EL SALVADOR
th THAILAND
tn TUNISIA
tr TURKEY
tt TRINIDAD AND TOBAGO
tw TAIWAN
ua UKRAINE
uy URUGUAY
vn VIET NAM
Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.
Wednesday, September 22, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment