GPack kit now being used by AntiVirus200x

Readers will be familiar with the growth in the volume of “fake alert” malware in recent months [1, 2]. One of the more notorious families we have been seeing large volumes of recently, calls itself ‘AntiVirus2008’ or ‘AntiVirus2009’. We have seen (and reported) attackers making heavy use of spam campaigns to distribute it. The stock ‘e-card’ theme of social engineering seems to be a favourite, for example:


As you can see from the status bar (at the bottom), the URL within the message actually points to an executable on a compromised web site. The executable is malicious, and proceeds to infect the victim with scamware (proactively detected as Mal/EncPk-CZ).

Just today, I noticed an interesting development in their tactics. The same scamware is being installed via the GPack [3,4] exploit kit. In this case, a new web site (domain registered yesterday) loaded with various pornographic images is being used to trap further victims.


Any victim browsing this page is exposed to the malicious scripts provided by the GPack kit, the purpose of which is to infect victims with the scamware.


As you can see, thankfully, the malicious components continue to be proactively detected (Mal/ObfJS-S and Mal/EncPk-CZ). Access to the associated domain is now appropriately blocked as well.

Victims unlucky enough to get infected with this scamware will be presented with the same misleading desktop background as blogged about here.