Unsafe VKontakte or collect the millionth botnet?

Based on the author's permission (does not have an acca in Habré) and in close cooperation with him.

About three months ago, the users of the same network discovered a problem: during the operation, the web browser hung, while JAVA was loaded on pages where there were no applets.
')
After a rather long time of communication with a person, it became clear that this problem occurs on some public pages on VKontakte. These pages were analyzed in detail for frames, but everything turned out to be crystal clear. Traffic sniffing also showed nothing suspicious.

After a series of experiments, it became clear that on one page the frame is loaded only once and only for an authorized user, apparently, as a result of a limited display on the VKontakte ID (the user did not save cookies). However, the question of where the frame is being loaded is still not resolved.

In total, with the included sniffer about 30 public pages were visited. Having filtered all the VKontakte traffic, it was found that quite a lot of scripts are loaded from the German server (46.4.112.52), and it was one of these scripts that loaded the frame on the expopo file (yes, whoever did not understand it - the JAVA upload window meant that The browser has been broken by exploit-pack, and, perhaps, you are already part of someone's botnet). The proof is a download /games/worms.jar/, classified as Exploit.Java.CVE-2010-0840.bd (possibly part of Black Hole Exploit).

The administrator who carried out the research did not care at that moment why the VKontakte public pages were loading something from Germany, and the study ended with a logical blocking of the German IP. This solved the problem completely, which indirectly proves that we did not deal with local infection of the system with the introduction of libraries into the area of ​​the web browser.

In total, on July 20, 2011, an interesting news appears - the IP that was blocked a couple of months ago belongs to the “Widgets for official pages” application, which for some reason was blocked by the VK administration.

A little googling, we find in the topic more interesting news . And such statistics .

What then?

Millions of people visited the public pages every day, and about 80% of them somehow stumbled upon Widgets, which in turn poured (we won’t go into details, ourselves or not ourselves, but poured) traffic into exploits.
During these three months, up to 90% of the entire social network could have visited the public pages with the virus.

The scales are solid, it is strange that everyone is silent about this ...

Three questions remain open:
1. Was there an exploit frame for all three months, or was it removed for a while?

2. Why is the Widgets application for official pages blocked? Hacking is great that the servers are cleaned and the links are corrected - magically, but if there was a drive-by download, then why are victims not asked to quickly scan the computer with an antivirus?

3. Why, in fact, the VKontakte administration is silent?

By the way, here he is - the owner of the widgets (Not at all a fake, it can be seen from the above link )

PS There was a slight misunderstanding: Andrei Kedrov is responsible for another application and is not related to “Widgets for official pages” , just the hacking of his application coincided with the subject matter. We are sorry for this misunderstanding. And here is interesting information from Mr. Kedrov:

I am Andrei Kedrov. Please remove my first and last name from your Habré account, since you associate me with someone else's application. In the original source from which the article was written, only the link goes to me, but I have nothing to do with the Widgets for official pages. We have a separate application that was hacked, in contrast to the one in question. According to the official version of the author “Ani”, this was also a hacking, but many of my friends say otherwise, especially since they sent me a link on their server, from which the traffic was loaded, and this link already appeared in one of the complaints about their application they already got a lock.
And the issue with our application was resolved with the administration for several hours, after my return home, from vacation. While Anya received a lock without the right to unban. Although no, the amendment is still the administration and Anya complained. The application was restored just a few minutes ago, although “Anya” himself wrote that he was refused. In general, an interesting situation in fact.

Nevertheless, the similar frequency of hacking applications for VKontakte brings sad thoughts ... Like the policy of the VKontakte administration towards the perpetrators. Are there many such "Anya"?