Published: March 10 2009, 10:56 PM
by Methusela Cebrian Ferrer

Fig.01 – Malicious IP Visual Graph

Most Internet threats now take advantage of Web 2.0 technology as an attack and distribution vector. Social networks, video sharing sites, blogs and forums, for example, are now the attacker’s mechanism for delivering malicious content.

In researching just one IP address, you will be surprised at the number and variety of threats that have maximized use of it. The visual graph above [Fig.01] represents hundreds of domain names, all sharing a single IP address denoted by the gray line. These domains connect to a malicious server indicated by the red lines, and thereafter connect to its payload. We've discussed some good examples of this in our previous blog posts "Malicious PDF Server Alive and Kicking" and "Infectious Virut on the Loose".

Right now, the payload points to a PDF-creating PHP script that generates an exploited PDF for every request. This clever technique uses server-side polymorphism to generate unique exploited PDF files each time, making it a powerful method of avoiding detection.

Fig.02 – Exploited PDF

Another payload that’s been around for some time is the fake codec malware that serves malicious installers for both Windows and Mac users.

Fig.03 – Installs Fake Codec Malware

This distribution technique seems to show that the attacker means serious business. There are thousands of malicious domains and IPs that daily push malicious content and it is now everyone’s responsibility to make the Internet safe.

Stay alert and be informed!

Share this post:  Email

Share