First of all we love SpeedTest.net. Even with its Flash-based War Games effects, it’s still our goto site when investigating slow network connections. That’s why we were a little taken aback when we discovered an Invincea blog post noting that our beloved site being involved in exploiting visitors using one of the recent Java vulnerabilities. The main theme behind the Invincea post wasn’t necessarily their browser sandboxing product per se (although it does look helpful) but more on emphasizing “that the highest concentration of online security threats are in fact legitimate destinations visited by mass audiences.”
In the detailed post Eddie Mitchell analyzes the attack on SpeedTest.net. One of the key findings was that the popular site didn’t actually host any Java exploit code but simply redirected visitors to another site that did.
We recently stumbled across an exploit of speedtest.net in doing what normal users do – visiting a legitimate site that provides a legitimate service. In this case after being exploited, www.speedtest.net was being used to redirect user traffic to sites hosting malicious code. In order to verify, we employed a Windows XP SP3 test machine protected by Invincea Enterprise and installed with IE8 and Java 7 Update 10. Java 7 Update 11 is currently the latest and was released by Oracle in response to the previous Java 0-day vulnerability (CVE-2013-0422).
Eddie continues on with some screenshots showing an analysis of the attack in action using their test machine protected by the Invincea browser protection add-on along with Wireshark and VirusTotal.com. In the end he concludes:
Here’s a video they produced showing the exploit in action.
As of early Monday SpeedTest.net had fixed the redirection vulnerability however if you visited the site starting late Friday through then, it might be time to clean some malware off your computer using our four easy steps. 😉
Source: “Popular Site Speedtest.net Compromised by Exploit…Drive-By STOPPED by Invincea” – Invincea.com
Did you visit SpeedTest.net over the weekend? Notice anything odd? Let us know in the comments below. Today’s post pic is from SpliceVine.com. See ya!