ISC reader Gareth Attrill pointed us to an eBay auction that has some escaped HTML code that sneaks in a link that tries to get a trojanized .jar (usage.jar) file loaded on anyone who loads the listing. The latest .dat for McAfee immediately detected (and deleted) the code as Exploit-ByteVerify. The lister most likely managed to bypass other protections that otherwise prevents this kind of code from being inserted into item listings. Both eBay and the ISP that is hosting the malware have been notified.
The impact of this kind of attack is probably small, but it does present an interesting new vector for tricking users into going to locations that include the standard class of passive web browser exploits. Something like this using code that wasn't immediately known to the AV vendors and using an item that was very popular (say an XBOX 360 at release) could create a situation ripe for widespread exploitation.
Any site that allows users to enter HTML or images could theoretically be misused this way and illustrates the importance of validating end-user input, both in restricting what they can put in, and in the case of images that there is no exploits in the image files. These checks need to be repeated instead of checking only when entered so that new DATs can examine existing files that may have gotten in before new DATs were implemented.
John Bambenek, bambenek *at* gmail *dot* com
Dec 7th 2005
1 decade ago