contadores de paginas web Saltar al contenido

BlackHat SEO + Java vulnerable = hidden Trojan download

imagen indexada en sitio infectado

A few days ago I commented on one of the ways Java is used to infect and stressed the importance of keep it updated O well not have it installed if it is something that is not usually used. In relation to this, the following is an example of a BlackHat SEO attack that takes advantage of Java to install a Trojan.

It all starts with Google image search, when clicking to see it bigger the users are redirected to a page that tries to infect your computers:

Image hosted on a compromised site

Clicking on the image ends on the following page:

Malicious page that downloads the Trojan in a hidden way

The page loads a exploit who takes advantage of a Java known vulnerability (CVE-2010-0840), if the installed version is old, the exploit can download and execute any file in a hidden way. In this case, the download is a Trojan that allows remote control of the equipment.

The only thing they see is a false error on the page and the most vigilant will notice that Java is running while the page is open, which added to the previous redirect is too strange.

This happens because the legitimate site where the image is found was violated, the attackers placed codes to redirect all visitors who access it from a search engine such as Google. It happens with all the pages and images that are hosted on the site, if accessed directly nothing happens and on computers other than Windows the redirection points to a dating site.

Thanks Larissa for the warning!

See also: Fake Page Builder + Malicious Java.