Home / malwarePDF  

JS/Aimesu


First posted on 17 October 2013.
Source: Microsoft

Aliases :

There are no other names known for JS/Aimesu.

Explanation :

Threat behavior

When you visit a webpage infected with JS/Aimesu it might show the following as the malware is installed:



Installation

A hacker can inject a client-side script into a vulnerable website, which then runs when you visit the compromised page. Usually the attack is delivered in multiple stages and involves another threat such as JS/BlacoleRef or JS/Redirector. These threats in turn will load JS/Aimesu.

JS/Aimesu uses exploits for known software vulnerabilities in Java, Adobe PDF Reader, and Flash player.

It checks the version of Java, Adobe, and Flash player installed on your PC and loads an object (such as Iframe, or HTML "span") that references the remote-crafted Java applet, PDF file, or Flash object.

In the wild, we have seen this malware connect to the following URLs:

  • wheatmildew-unazotized.lindsayandmerritt.com /<removed>/world/walk_electron.pdf
  • wheatmildew-unazotized.lindsayandmerritt.com /<removed>/prove-slippery_unsteady.pdf
  • wheatmildew-unazotized.lindsayandmerritt.com /<removed>/defeat_chap_naked.pdf


For Flash exploits, the path is relative to the location of the infected URL, for example:

  • <Malicious URL>/brackets/advert03.php (contains the crafted Flash object)


Payload

Downloads other malware

JS/Aimesu downloads components of the "Blackhole" and "Cool" exploit kits. These exploits then download other malware onto your PC, including Win32/Zbot and Win32/Winwebsec.

Loads exploit files

JS/Aimesu will load exploits based on the vulnerable software on your PC. These exploits include:

  • CVE-2010-0188 -Adobe Acrobat bundled libtiff integer overflow vulnerability
  • CVE-2010-0840 - Sun Java JRE trusted methods chaining remote code execution vulnerability
  • CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier




Analysis by Rodel Finones

Symptoms

Alerts from your security software may be the only symptom.

Last update 17 October 2013

 

TOP

Malware :