Ran across quite an interesting infection today. I visited a site that prompted me with a security warning about a "Microsoft" application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.



After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.



The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.

Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.

The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.



iJava also keeps track of infections. Below is the data from the infection mentioned above:



Which shows that for this particular malware, the infection only started yesterday. So far there's only 83 visits to the Java drive-by link.

And thankfully, he's not very successful (knock on wood):



Updated to add: The number of visits has now increased to 122 with a 26% success rate. Since it's counting the number of visits, if a specific IP accessed the page twice it then counts it as two. The total unique IPs so far is 77 with 30% success rate.

Kaspersky's Kurt Baumgartner has pointed out that this rate can actually be considered pretty high for such kits.