Exploit on Amnesty pages tricks AV software
On its blog, security firm Armorize has reported on a clever exploit on certain web sites that infected visitors' computers with malware. Apparently, criminals injected a "drive-by download" on web sites such as that of human rights organisation Amnesty International.
Armorize says that the exploit took advantage of a security hole in Flash that was only fixed via an emergency patch by Adobe a few days ago. What made the attack special was the way in which the criminals exploited the hole. The security hole allowed them to inject arbitrary code and execute it in Flash Player. Typically, such "shell code" will use the
URLDownloadToFile() function to retrieve the actual spyware from another server and then execute it. Since this function is only rarely used by browsers themselves, the heuristics or behaviour recognition features of modern anti-virus programs tend to become suspicious when they detect such activities and can, if necessary, even intervene to prevent an infection.
Armorize says that the trick was resoundingly successful. Although the Flash hole is a known vulnerability, not a single one out of 42 virus scanners reportedly exposed the malicious Flash file as a security risk. The posting on the Armorize blog offers further details, but it also contains exploit code that may trigger a virus monitor alarm.