Fake Alert malware with a sting in the tail

Fake Alert malware with a sting in the tail

Earlier this morning, whilst perusing through some web attacks seen over the last few days, I noticed an interesting one, which I will outline in this blog post.

The attack starts on what looks to be some portal to a series of porn sites. The site in question provides numerous links to pornographic images and videos. It could be that victims are being directed to this site from spam or other compromised sites, but at the time of writing we have not seen this. It could simply be that victims are intended to find the site whilst browsing for porn.

[Porn portal]

If you look at the source of this page, two malicious payloads are evident.

Payload 1


The first payload is the use of window.open() and setTimeout() to open a new browser window after 10 seconds, displaying a PornTube-related site.


Regular readers will be familiar with PornTube and the style of the fake error message shown above. The site entices the victim into installing fake security software which is actually malware. Sophos proactively detect this threat as Mal/EncPk-EU – its purpose is to download and install fake alert malware (Antivirus XP 2008). The installed malware is also proactively detected (Troj/FakeAV-Gen and Mal/EncPk-CZ).

[Antivirus XP 2008 EULA]

Payload 2

The porn portal page also contains an iframe to a page in a sub-folder. The page contains a malicious script (proactively detected as Mal/ObfJS-M) that serves two purposes as evident from our analysis system output:


Firstly, the script attempts to load a PDF file containing malicious JS attempting to exploit an Adobe Reader vulnerability (CVE-2007-5659). If the exploit is successful, the victim is infected with data-stealing malware proactively detected by Sophos as Mal/EncPk-CO.

The second payload of the Mal/ObfJS-M script is to infect the victim with a downloader Trojan. As you can see from the diagram above, at the time of analysis, this downloader was not detected by Sophos. It has since been added as Troj/Dloadr-BSR.

Phew! A good example of how todays attackers are literally bombarding victims with malicious code. Not satisfied with installing fake security software in order to scam money out of their victims, they also install data-stealing Trojans to compromise the machine as well.