We see fake AV malware being distributed in a variety of ways, including SEO abuse , compromised web sites [4, 5]. In this post I will highlight an attack that is currently active involving malicious PDF and Java content, attempting to exploit client side vulnerabilities.
- collectEmailInfo: CVE-2007-5659
- util.printf: CVE-2008-2992
- getIcon: CVE-2009-0927
- util.printd: CVE-2009-4324
The applet is used to load a JAR file (blocked as Troj/Java-B) which contains malicious class files that attempt to exploit an old privilege escalation vulnerability in the handling ZoneInfo objects during deserialization (CVE-2008-5353).
If either the PDF or Java exploit is successful, the payload is downloaded from the same site and run. This component is an installer/downloader for Internet Security 2010, and is detected as Mal/EncPk-NI. When the installer is run, it performs a series of actions:
- copies itself to %sysdir%\smss32.exe and %sysdir%\winlogon32.exe
- adds Registry keys to hook system startup
- drops %sysdir%\warning.html (pro-actively detected as Mal/FakeAvHm-A), and configures the desktop to load it as an ActiveDesktop background
- adds sites to Internet Explorer’s trusted site list (these sites have all been blacklisted for Sophos web appliance customers for several days now)
- downloads and runs Internet Security 2010 (blocked as Mal/FakeAV-BW) from a remote site
You could say such actions are suspicious! Indeed various runtime protection rules are triggered:
This attack provides a good example of how all the modern security technologies fit together. It is the combination of technologies such as URL filtering, patch management, pro-active detections and runtime protection rules that help to thwart such attacks.