[Michael]

*Our honeypot caught several legit sites that were infected and pushing*the same*drive-by download. I decided to take a closer look.

Upon visiting the site, a PDF file will open (and crash) trying to run an executable exploiting an Acrobat Reader vulnerability.



*I dug into the source code of the infected page. Strangely the malicious (and obfuscated) javascript code appears twice. The first occurrence was being commented out (did the web admin try to fix it?) but the second one was still active and in clear text.



I took a closer look at the JavaScript... It's all gibberish, so you have to use tools to make it readable. I used the free program Malzilla which revealed the culprit:





An ugly Iframe!!!

I checked this IP address and it is listed as part of the RBN (Russian Business Network). If you visit that IP, you will see even more obfuscation:

*

Anyway, the PDF exploit can be opened with Notepad to reveal the malicious Javascript code:*





Most AV vendors already detect it:

*

Jerome