Ran across a quite interesting infection today. I visited a site that prompted me a security warning about a “Microsoft” application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.
After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.
The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.
Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.
The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.
iJava also keeps track of infections. Below is the data from the infection mentioned above:
Which shows that for this particular malware, the infection only started yesterday. So far there’s only 83 visits to the Java drive-by link.
And thankfully, he’s not very successful (knock on wood):
On 08/05/12 At 03:27 PM