Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Dailymotion Compromised to Send Users to Exploit Kit

Created: 03 Jul 2014 17:01:17 GMT
Ankit Singh's picture
+3 3 Votes
Login to vote

On June 28, the popular video sharing website Dailymotion was compromised to redirect users to the Sweet Orange Exploit Kit. This exploit kit takes advantage of vulnerabilities in Java, Internet Explorer, and Flash Player. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded on the victim’s computer. This week, Dailymotion is no longer compromised, as users are currently not being redirected to the exploit kit.

We believe that the attackers compromised Dailymotion in order to target a large number of users. Dailymotion is in Alexa’s top 100 most popular websites list, so the attackers could have potentially infected a substantial amount of users’ computers with malware through this attack. We found that the campaign mainly affected Dailymotion visitors in the US and Europe.

Dailymotion 1.png

Figure 1. Regions affected by the Sweet Orange Exploit kit

How the attack worked

The attackers injected an iframe into the Dailymotion website which redirected users to a different website. This website in turn sent users to a highly obfuscated landing page of the Sweet Orange Exploit Kit

The exploit kit detected any vulnerable plugins on the user’s computer and dropped the exploits accordingly. The sweet orange exploit kit is known for exploiting the following vulnerabilities.

Dailymotion 2.png

Figure 2. Sweet Orange Exploit Kit’s successful exploitation

If the kit successfully exploited any of these vulnerabilities, then Trojan.Adclicker was downloaded onto the victim’s computer. This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers.

Symantec protection

Symantec has had detections in place against the Sweet Orange Exploit Kit since 2013, so customers with updated IPS and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities.

Intrusion prevention

Antivirus Protection

Trojan.Adclicker