On June 28, the popular video service Dailymotion was violated to redirect its users to the Sweet Orange Exploit Kit. This exploit kit exploits vulnerabilities of Java, Internet Explorer, and Flash Player. If the vulnerabilities of the above applications are successfully exploited, a pay-per-click malware goes down to the victim's computer. Since this week, Dailymotion is no longer infected, as security technicians have managed to eliminate the threat.
The attackers managed to compromise Dailymotion by injecting a iframe in by clicking here της. Να υπενθυμίσουμε ότι η Dailymotiοn είναι στην κορυφή της λίστας του Alexa και είναι στις 100 πιο δημοφιλείς ιστοσελίδες. Έτσι οι επιτιθέμενοι θα μπορούσαν να έχουν μολύνει ενδεχομένως αρκετούς υπολογιστές με κακόβουλο λογισμικό με αυτή την επίθεση. Η επίθεση έπληξε κυρίως επισκέπτες της Dailymotion από τις ΗΠΑ και την Ευρώπη.
How did the attack work?
Attackers with the injected iframe on the Dailymotion website were able to redirect users to a different website. This site in turn sent users to a page containing the Sweet Orange Exploit Kit (Symantec has awakened it from 2013)
Exploit Kit can detect vulnerabilities plugins on the user's computer and use the exploits they need. Sweet Orange exploits the following known vulnerabilities:
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551)
- Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
- Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2013-2460)
If the Exploit Kit manages to successfully exploit any of the above vulnerabilities, then it downloads Trojan.Adclicke to the victim's computer. This malware forces the infected computer to click on pay-per-clicks in order to generate revenue for the attackers.
