dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1146
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

1 edit

1 recommendation

Popular Site Speedtest.net Compromised by Exploit Drive-By

»www.invincea.com/2013/02/popular···nvincea/

"Cisco recently reported that the highest concentration of online security threats are in fact legitimate destinations visited by mass audiences. As if to underscore that point, we accidentally discovered an exploit on Speedtest.net, a site used by mass audiences to test their connection speed to the Internet. Now to be clear, Speedtest.net did not put this exploit up. Rather, speedtest.net is a victim of being exploited; but in turn their website was used to exploit countless others. As of this writing, Speedtest.net has rectified the issue, so they are safe to visit..."
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

I'm sort of confused. Speedtest.net does not use Java so wouldn't a user going there notice Java being invoked? They would get a popup from Oracle asking if they wanted to run a Java applet and knowing that the site uses Flash for speed testing rather than the superior Java wouldn't they get the hell out of Dodge as fast as they could after denying Java the right to run? The Oracle Java security slider doesn't work as well in IE as in other browsers but it does work in my experience but I have only used it with IE 10.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2

»www.pingtest.net/

maybe this?



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to antdude

I'm kind of on board with Mele20 See Profile & Cartel See Profile
Although Speedtest.Net is flash-based and thus whacks you with LSO's everytime you use it, and other than serving lots of ads that my TPL's were blocking, it seems clean.

Expand your moderator at work


gugarci
Premium
join:2004-02-25
Lyndhurst, NJ
Reviews:
·Comcast
reply to Mele20

Re: Popular Site Speedtest.net Compromised by Exploit Drive-By

said by Mele20:

I'm sort of confused. Speedtest.net does not use Java so wouldn't a user going there notice Java being invoked? They would get a popup from Oracle asking if they wanted to run a Java applet and knowing that the site uses Flash for speed testing rather than the superior Java wouldn't they get the hell out of Dodge as fast as they could after denying Java the right to run?

I think this would only apply to more security/tech savvy users. Most people will assume it's part of the site and run it.
--
Desktop Win 7 x64 Emsisoft Anti Malware v7, Laptop Win 7 x64 & Desktop XP Pro Emsisoft Anti Malware v7 & Online Armor Premium v6, Netbook Win 7 Starter and Netbook XP Home Avast 7, MBAM and Hitman Pro used on-demand only.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

4 edits

2 recommendations

reply to Mele20

While speedtest.net may not use Java in their tests, that does not mean that it was not harboring a malicious Java app, simply sitting in wait for a vulnerable system to happen by, one with Java installed & enabled.

Actually from the looks of it, from the log, that was not the case. It looks more like the visitor was redirected (IFRAME or whatever) from speedtest.net to talkydao.is-an-accountant & it was from there that the Java app was launched.

(Wonder if nothing else that would have been picked up as an XSS exploit by NoScript?)

And if we read down further, it is all explained:

"Looking at the main index page on www.speedtest.net, we notice the following Javascript that has been injected onto the page:" ... "Once decoded, we see that the JS generates random third-level domains based on the date/time of the system. These are then prepended to several second level domains" ... "A request is then made for http:///finance and the following page is retrieved that serves two Java applets:"

"The exploit analysis shows that potentially a large number of users were exposed to a Java-based exploit temporarily hosted by speedtest.net. Indicators show the exploit implemented by injected Javascript and used the “g01pack” exploit kit likely compromised speedtest.net as part of a malvertising campaign. The exploit used a number of tactics and techniques to evade detection while exploiting the commonly vulnerable Java software plug-in. Speedtest.net is a popular site widely used to test network connection speeds. The exploit shows that legitimate sites pose risks to online users who browse without protection."

So it all started with JavaScript injected into the speedtest.net web page. That JS referenced foreign domains.

NoScript certainly stopped any further chances of exploit at that point.

Then there is Java itself. No Java, no exploit. Java disabled, no exploit. So if you need Java, whitelist it, allow it to run, only on sites you know, & know it is needed, & "trust" (heh).