NEWS FROM THE LAB - Wednesday, January 15, 2014

Compromised Sites Pull Fake Flash Player From SkyDrive Posted by SecResponse @ 19:40 GMT

On most days, our WorldMap shows more of the same thing. Today is an exception.

1_wmap (106k image)

One infection is topping so high in the charts that it pretty much captured our attention.

Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.

2_spike (9k image)

So we dug deeper… it wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:

4_script (12k image)

Or a bit longer to include the use of cookies, such as this:

3_code (132k image)

Successful redirection leads to a fake flash download site that look similar to these pages:

5_flash1 (64k image)

6_flash2 (32k image)

6_main_page_after_clicking_download (40k image)

The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.

When the malicious flashplayer.exe is executed, this message is displayed to the user.

7_dialog (1k image)

While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.

8_skydrive (21k image)

Initial analysis showed that the sample is connecting to these locations.

9_post (59k image)

SHA1 Hashes:


Post by — Karmina and Christine