A few days ago Malwarebytes Intelligence Analyst Adam Kujawa released a Cyber-Threat Advisory on a fairly new anti-malware product on the web called Malwarebiter. This product grabbed our attention because of its similar name to Malwarebytes.
Various reports on the web suggest this advertised anti-malware product has been around since at least May 2012, while its Facebook page appears to have been created just last month. Facebook users will notice the software claims to have received an award for being the Worlds Best Anti-Malware Software.
In case our readers aren’t familiar with iFrames, these allow web developers to embed the contents of one webpage within another. Using iFrames for drive-by malware attacks is common since they can be crafted invisible to the naked eye. Malicous iFrames often redirect users to malware URLS unbeknownst to them, as seen frequently in Blackhole, Crimepack, and other exploit kits.
The “roe.js” file seen in the image executes either a java or PDF exploit, which downloads a malicious payload to the visitor’s PC. The java exploit has been identified as CVE-2013-0422, posted recently as a CTA in our Unpacked blog, and the PDF exploit was identified as the notorious libtiff integer overflow as seen in CVE-2010-0188. In addition, a malicious file is served to visitors after the exploit; this was identified by our intel team as the infamous Zeus botnet after observing packets from the malware making requests for “gate.php”.
Edited by herg62123, 04 February 2013 - 02:25 AM.