On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit.
We believe that the attackers compromised Dailymotion in order to target a large number of users. Dailymotion is in Alexa’s top 100 most popular websites list, so the attackers could have potentially infected a substantial amount of users’ computers with malware through this attack. We found that the campaign mainly affected Dailymotion visitors in the US and Europe.
Figure 1. Regions affected by the Sweet Orange Exploit kit
How the attack worked
The attackers injected an iframe into the Dailymotion website which redirected users to a different website. This website in turn sent users to a highly obfuscated landing page of the Sweet Orange Exploit Kit
The exploit kit detected any vulnerable plugins on the user’s computer and dropped the exploits accordingly. The sweet orange exploit kit is known for exploiting the following vulnerabilities.
Figure 2. Sweet Orange Exploit Kit’s successful exploitation
If the kit successfully exploited any of these vulnerabilities, then Trojan.Adclicker was downloaded onto the victim’s computer. This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers.
Symantec has had detections in place against the Sweet Orange Exploit Kit since 2013, so customers with updated IPS and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities.