Java Drive-by Generator

Ran across a quite interesting infection today. I visited a site that prompted me a security warning about a “Microsoft” application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.

google_attachment (26k image)

After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.

cisco_invite (20k image)

The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.

Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.

The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.

ijava_main (100k image)

iJava also keeps track of infections. Below is the data from the infection mentioned above:

ijava_2ndp (66k image)

Which shows that for this particular malware, the infection only started yesterday. So far there’s only 83 visits to the Java drive-by link.

And thankfully, he’s not very successful (knock on wood):

ijava_stats (28k image)

On 08/05/12 At 03:27 PM

Read more: Java Drive-by Generator

Story added 8. May 2012, content source with full text you can find at link above.