On 27 October security researchers at Symantec discovered that Spin.com was redirecting visitors to the Rig exploit kit, via an injected iframe.
Visitors to the popular music news and reviews website redirected thus were subsequently infected with a range of malware.
In a blog post, Symantec researcher Ankit Singh said that the Rig exploit kit took advantage of two Microsoft Internet Explorer use-after-free remote code execution (RCE) vulnerabilities (CVE-2013-2551 and CVE-2014-0322), an Adobe Flash Player RCE vulnerability (CVE-2014-0497), a Microsoft Silverlight Double Deference RCE vulnerability (CVE-2013-0074), an Oracle Java SE memory corruption vulnerability (CVE-2013-2465), an Oracle Java SE remote Java runtime environment code execution vulnerability (CVE-2012-0507), and a Microsoft Internet Explorer information disclosure vulnerability (CVE-2013-7331).
Upon the successful exploitation of any of those vulnerabilities, a XOR-encrypted payload would be downloaded onto the victim’s computer. The exploit kit would then drop a variety of nasties including downloaders and information stealers such as Infostealer.Dyranges and the notorious Zeus banking Trojan.
Previous research by Symantec revealed how the Rig exploit kit can also drop Trojan.Pandex, Trojan.Zeroaccess, Downloader.Ponik, W32.Waledac.D and ransomware Trojan.Ransomlock.
While Spin.com is no longer compromised, the attack may have affected a great number of visitors as the site is ranked amongst the top 7,000 most visited on the web, according to Alexa. With an Alexa ranking of around 2,800 in the US, visitors from that region may have been particularly at risk, particularly as Symantec said it was unaware how long Spin.com had been compromised for prior to its discovery.
Talking to SCMagazine, Singh said the injected iframe took redirected visitors to a highly obfuscated landing page for the Rig exploit kit but he was unaware how the website was initially compromised.
He went on to say that when the user arrived at the landing page the exploit kit would first look to bypass any security software on their computer before searching for particular plugins which it could then exploit.
Singh added that “Infostealer.Dyranges checks the URL in the web browser for online banking services and intercepts traffic between the user and these sites; it may then steal user names and passwords inputted into these sites’ login forms and send them to remote locations. Trojan.Zbot will gather a variety of information about the compromised computer, as well as users name and passwords, which it sends back to the [command-and-control] server. It also opens a backdoor through which attackers can perform various actions.”
Singh concluded that the way in which the exploit kit run was such that a typical computer user would not be aware of its presence on their system.
According to Symantec, its security products already protect its users against such an attack and the same should be true for all other reputable brands of security software. We would, however, advise all users to ensure that their security software is kept fully up to date in order to protect them from the newest threats.