Malicious Websites

The following video illustrates how a drive-by download works. In this case, the victim is running Internet Explorer 7 with a vulnerable version of Acrobat Reader. The system is a virtual machine running VMware Fusion such that I can quickly recover from the exploit.

In a first step, a URL found by one of our honeyclients is opened. This web site shows a Google logo and a waiting message. In the meantime, the site tries to exploit the browser: we can observer that AcroRd32.exe is started and this is the actual exploit. A few seconds afterwards (second 31), another process is launced and wJQs.exe is started. This binary is a dropper with a bad detection rate (0/32 at Virustotal at the time of writing). The dropper downloads an additional malware sample named wmic.exe, which tries to sniff on the network card (thus a warning message pops up in VMware). A few more malware binaries are downloaded later on and the machine is completely compromised...