In a recent blog post, we pointed out a trend we described as economies of scale in cross-platform vulnerabilities. We noted that this method of distribution allows the attacker to maximize their potential impact on multiple platforms. In this context, we would like to take this discussion further and explain the ways platform specific payloads are carried to targets or victims.

The threat landscape, and the relationship between attacker and victim within the digital distribution space, is widely governed by a supply chain mechanism called 'push and pull'. As illustrated in the diagram above, the attacker uses a pull strategy by utilizing online technologies to their advantage and replaces or takes over a legitimate seller offering in order to reach a target. The innocent user participates unknowingly, unaware that the supply chain is compromised, and easily falls prey to the attack. The targeted user pulls pages and/or products from the attacker's distribution channel, consequently leading to the successful installation of malware; this relationship is observed in many facets of malware infection.

In the case of a cross-platform offering, the attacker utilizes a decision agent to recognize the appropriate package or software for its target. When the victim pulls pages or content from the attacker's distribution channel, an agent (often referred to as the browser's user-agent) provides information, and a decision is made on behalf of the victim – that is, it automatically identifies the appropriate package or software without asking the user.

However, in the recent event described, we observed that the delivery of malicious code through vulnerabilities in Java employs a decision agent as part of a cross-platform attack. As shown in the timeline below, we first noticed this feature used in a Java vulnerability referred to as CVE-2011-3544. It was followed last month by the use of a Java Signed Applet attack – a form of social engineering where the user is lured to accept a signed Java applet and thereafter allows the attacker to run any payload.

We further observed that the decision agent may act as a loader, and carry specific tasks such that it may pull content from the attacker's distribution channel, or simply locate a file within its container to load or install onto the victim's machine (take note that it may encrypt its payload – which may thus evade detection).

While what we have described here is based on and limited to samples we have handled and processed, this observation gives us an opportunity to understand the role of agent as part of the distribution channel decision, and moving forward, the likelihood of the appearance of intelligent agents carrying out attacks within compromised networks.

We would like to reiterate that this type of attack highlights the importance of keeping security software signatures up-to-date, and ensuring operating system and 3rd party applications are always updated to reduce the risk of malware infection. This best practice must extend to all devices and platforms, especially those in large enterprise networks.


Methusela Cebrian Ferrer
MMPC Melbourne