Wednesday, February 13, 2013

New exploit kit tricks


In today's post, we'll be reviewing a (potentially) new trick by the exploit kit authors.

As usual, it all starts with.... a great portion of spam:

Verizon important account information! ;-)























When clicking on any of the links you get redirected of course.... and some tasty exploits are served.... See for more information on Pastebin links further below....

However, this time, when you don't have a vulnerable Java or Adobe version installed, you'll get redirected (after 61000 milliseconds ~1 minute to be exact) to another page where you can download the brand new version of Adobe Flash Player:


Download the new Flash Player... Note it's not the official Adobe website!


















Of course this is not the real Flash Player, in fact, as far as I could find, this version does not exist.

Something that has always bothered me about the download of Flash is the notification circled in red. Yes, on the real website of Adobe, this notification is also present:
"You may have to temporarily disable your antivirus software" --> Great thinking, right?


The bad guys have basically just done a copy/paste of the download page of Flash and changed the version number. When clicking on Download now, you're presented with:





update_flash_player.exe
MD5: 1b7d3393018d65e9d37566089b7626d5
VirusTotal Report
Anubis Report
ThreatExpert Report


The payload seems to be Zeus/Zbot, it also phones home to:
88.190.210.199

Infection URLs from the same campaign, hat tip to @MalwareMustDie :
URLquery search results



Samples that were gathered, contact me if you'd like a copy:













Pastebin links for the Javascripts:
http://pastebin.com/hhQe6RCP
http://pastebin.com/nt5JmGp3




Conclusion

- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders
- Patch your Java & Adobe or uninstall it if you don't need it
- Install an antivirus and antimalware product and keep it up-to-date & running
- Use NoScript in Firefox or NotScripts in Chrome


No comments:

Post a Comment