Hack Yourself!

26/06/2007 Written by Roberto Preatoni (SyS64738)

SANS Inter­net Storm Cen­ter pub­lished a bul­letin on Fri­day that casts a new light on the capa­bil­i­ties of Social Engi­neer­ing. The report describes a web­site whose vis­i­tors were infected with mal­ware. And here is the prob­lem since accord­ing to the author, Mr. Bojan Zdrnja, the site didn’t use the nearly uni­ver­sal tech­nique of an iframe, which allows exploit code to be siphoned in from another web­site .

So what? We are fac­ing a case of pure Social Engi­neer­ing tech­nique.. and quite an effec­tive one.

As reported by the Inter­net Storm Cen­ter, “ When vis­ited, the web page in ques­tion (a game site related to RuneScape) shows cou­ple of bro­ken icons and all links just point to another web page that con­ve­niently inform the user that his ver­sion of Macro­me­dia Flash Player needs to be updated. After this notice, the user is redi­rected to a web site host­ing a com­plete replica of the Shock­wave Player Down­load Center”.

See the screen shot in the image below:

In the copy of Adobe’s web­site the attacker added the Java Script:

“var mes­sage=””;
/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​/​

func­tion clickIE() {if (document.all) {(message);return false;}}

func­tion clickNS(e) {if

(document.layers||(document.getElementById&&!document.all)) {

if (e.which==2||e.which==3) {(message);return false;}}}

if (document.layers)

{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}

else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function(“return false”)”

The down­loaded mal­ware con­tains a full installer that, when tested on Virus­To­tal, had very low detection.

Actu­ally, the fake web­site is quite easy to reckon, but care­less users could eas­ily be tricked.