Fake Alert malware with a sting in the tail

Filed Under: Malware, SophosLabs

Earlier this morning, whilst perusing through some web attacks seen over the last few days, I noticed an interesting one, which I will outline in this blog post.

The attack starts on what looks to be some portal to a series of porn sites. The site in question provides numerous links to pornographic images and videos. It could be that victims are being directed to this site from spam or other compromised sites, but at the time of writing we have not seen this. It could simply be that victims are intended to find the site whilst browsing for porn.

[Porn portal]

If you look at the source of this page, two malicious payloads are evident.

Payload 1

ptsting_source_drop_550.png

The first payload is the use of window.open() and setTimeout() to open a new browser window after 10 seconds, displaying a PornTube-related site.

pt_sting1_drop_550.png

Regular readers will be familiar with PornTube and the style of the fake error message shown above. The site entices the victim into installing fake security software which is actually malware. Sophos proactively detect this threat as Mal/EncPk-EU - its purpose is to download and install fake alert malware (Antivirus XP 2008). The installed malware is also proactively detected (Troj/FakeAV-Gen and Mal/EncPk-CZ).

[Antivirus XP 2008 EULA]

Payload 2

The porn portal page also contains an iframe to a page in a sub-folder. The page contains a malicious script (proactively detected as Mal/ObfJS-M) that serves two purposes as evident from our analysis system output:

ptsting_tree_drop_550.png

Firstly, the script attempts to load a PDF file containing malicious JS attempting to exploit an Adobe Reader vulnerability (CVE-2007-5659). If the exploit is successful, the victim is infected with data-stealing malware proactively detected by Sophos as Mal/EncPk-CO.

The second payload of the Mal/ObfJS-M script is to infect the victim with a downloader Trojan. As you can see from the diagram above, at the time of analysis, this downloader was not detected by Sophos. It has since been added as Troj/Dloadr-BSR.

Phew! A good example of how todays attackers are literally bombarding victims with malicious code. Not satisfied with installing fake security software in order to scam money out of their victims, they also install data-stealing Trojans to compromise the machine as well.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.