Researchers at Armorize have discovered that the Amnesty International UK site was recently compromised, serving up the latest Adobe 0-day vulnerability to visitors of the site (which was recently patched). However, this isn't some ordinary drive-by download. Instead, it is being delivered in to users in a different way:
The method of attack is a variation of the drive-by download mechanism; we dub it "drive-by cache." This mechanism makes the infection harder to detect than drive-by download.
The researchers go on to describe more details of the attack, including why this differs from a drive-by-download.
After being executed, it doesn't make an attempt to download a file and write it to disk. Instead, it locates the malware which is already sitting in the browser's cache directory, and executes it. And that's why we take out the word download and dub it drive-by cache.
They note that 0 out of 40 antivirus vendors detect the malicious flash file (.swf). The malicious binary that is used in the drive-by-caching was only detected by a single antivirus solution out of 40 other offerings used on VirusTotal.
This example is a reminder of the on-going cat and mouse game between cybercriminals and Internet security professionals. If you haven't already, please apply the recent patch issued by Adobe for their Flash and AIR products.