A Great Example of Lots of Client-Side Exploits in One Place

There is a really nice post over at ISC right now by Daniel Wesemann which talks about a site which is particularly thick with client-side exploits. I like it because it hits on multiple issues which I have addressed in the past in the context of a live exploit site. Definitely check out that link, but here are the key points:

The malicious site was found via a search engine.

The site used malicious iframe insertion to link to the sites which contained the actual exploits.

The pages used obfuscated javascript to hold links (iframes again) to other pages. We don't currently have any discussion of javascript obfuscation alone, but I had previously touched on it in this article.

Of the 6 exploits that were found on 3 pages:

3 were variants of MS06-014 (CVE-2006-0003) which is an ActiveX exploit which I haven't talked about before.
1 is the WebViewFolderIcon exploit.
1 is the VML exploit.
1 is the XML Core Services exploit.

At the time I wrote this however, I did some wgetting and the first topsearch20.net link does not seem to have the iframes to the stratrafongon . biz (don't go there btw :P), but the stratrafongon site is still hosting the malicious content. It is therefore not clear whether the topsearch20.net was compromised or the links have simply been removed by the people who put them there. Of course we will be using this as a nice test case for the HoneyClient :).