Malware
Swedish news site compromised spreading fake antivirus

Today a Swedish and well-visited news site, AftonBladet, was compromised as it was serving visitors a fake antivirus or rogueware.

In fact, there was a malicious code targeting only Internet Explorer (IE) browser users. When the user visited Aftonbladet (using IE), he was redirected to another website which contained a fake warning from Microsoft Security Essentials. Once the user clicked on the warning message, nothing was fixed, but a malicious file downloaded.

The file was an obfuscated Visual Basic Executable. When trying to reproduce, it appeared it already was cleaned up, fast actions there.

Thanks to Jimmy, our Panda Security colleague from Sweden, Panda Security was able to obtain the malicious file:

File:    svc-ddrs.exe
Image icon:

Malicious file

Size:    1084416 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit

When executing the sample, a fake antivirus was launched.

Windows Efficiency Master
Windows Efficiency Master

Scanning

Fake scanning results

Besides dropping the usual EXE file in the %appdata% folder, it also dropped a data.sec file with predefined scanning results (all fake obviously).

For additional info, see content of data.sec.

This fake AV also performed the usual actions:

  • Blocking of EXE and other files.
  • Blocking of browsers like Internet Explorer.
  • Callback to 93.115.86.197 where the Command and Control server is hosted.
  • Stopping several antivirus services and preventing them from running.
  • Rebooting initially to stop certain logging and monitoring tools.
  • Using mshta.exe (which executes HTML application files) for the usual payment screen.
  • Connecting to http://checkip.dyndns.org/ to determine your IP.

This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same.

Prevention

In this case, no exploit -nor Java/Adobe nor browser- was used. Only Javascript was injected.  So, follow these prevention tips:

Panda Security products keep you safe and protected against this threat, so we really encourage you to follow the tips above to stay protected.

We want to specially thank Bart, Panda Security Malware Technician from Benelux, for his great contribution on this malware research.

Tags:
No comments so far!
Leave a Comment