JS/Aimesu

When you visit a webpage infected with JS/Aimesu it might show the following as the malware is installed:

Installation

A hacker can inject a client-side script into a vulnerable website, which then runs when you visit the compromised page. Usually the attack is delivered in multiple stages and involves another threat such as JS/BlacoleRef or JS/Redirector. These threats in turn will load JS/Aimesu.

JS/Aimesu uses exploits for known software vulnerabilities in Java, Adobe PDF Reader, and Flash player.

It checks the version of Java, Adobe, and Flash player installed on your PC and loads an object (such as Iframe, or HTML "span") that references the remote-crafted Java applet, PDF file, or Flash object.

In the wild, we have seen this malware connect to the following URLs:

• wheatmildew-unazotized.lindsayandmerritt.com/<removed>/world/walk_electron.pdf
• wheatmildew-unazotized.lindsayandmerritt.com/<removed>/prove-slippery_unsteady.pdf
• wheatmildew-unazotized.lindsayandmerritt.com/<removed>/defeat_chap_naked.pdf

For Flash exploits, the path is relative to the location of the infected URL, for example:

• <Malicious URL>/brackets/advert03.php (contains the crafted Flash object)

Payload

Downloads other malware

JS/Aimesu downloads components of the "Blackhole" and "Cool" exploit kits. These exploits then download other malware onto your PC, including Win32/Zbot and Win32/Winwebsec.

Loads exploit files

JS/Aimesu will load exploits based on the vulnerable software on your PC. These exploits include:

• CVE-2010-0188 -Adobe Acrobat bundled libtiff integer overflow vulnerability
• CVE-2010-0840 - Sun Java JRE trusted methods chaining remote code execution vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Analysis by Rodel Finones