Skip navigation.

er234567's blog

YouTube Video Page Creator

Last week PandaLabs discovered a new tool for creating fake YouTube video pages as a way of deceiving users into installing malware. The vector for infection is similar to many fake codec based malware attacks seen in recent weeks (CNN, MSNBC, etc).

The flexibility of this tool allows anyone to direct the fake Adobe Flash update error to any malicious executable file hosted on any server - this means that essentially a hacker could register several domains in different countries (as seen in the CNN alerts attack) and utilize a bot-net to distribute a mass amount of spam pointing to these fake YouTube pages.

Full Details Here

Fake Windows XP Vista Update (AV XP 2008)

This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.

Full Details here:

Fake Account Fee Spam (AV XP 2008)

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008.

Full details here:

New Round of Celebrity Spam distributing AV XP 2008

Spammers continue their efforts today with another round of celebrity oriented spam designed to entice users into watching a non-existent video. The fake video site exhibits the same behavior found in the CNN and MSNBC spam attacks covered earlier this month (i.e. a popup message indicates that the ActiveX movie control is out of date and the user is required to install an update to properly view the video).

It is apparent that the spammers are very interested in getting a large number of users to install and use false security products such as AV XP 2008 and it’s variants in an effort to generate revenue.

Full Story Here:

Fake Nero Anti-Virus Pro 2009

This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.

For more information:

Celebrity Spam Out of Control

We have been tracking a number of spam messages over the last couple of days pertaining to celebrities involved in a number of odd and unexplained activities. The binary file being delivered in this latest spam run involving Paris Hilton is stream.exe which is meant to lure a user into executing the file hidden behind the link, thus, the user thinking he/she will be viewing a video is actually getting a Trojan. Stream.exe is identified as a varient of Trj/Exchanger.

Full Details Here:

The file has been uploaded with the name of stream.exe with a3aec9130af6f69c715dc6eb89949079.

Video Codec Malware Reloads

This morning we detected another spam campaign with a very similar motivation to the MSNBC and CNN spam attacks that were detected recently. The vector for infection is a re-direction to a phony video page. In this case the user is asked to download an update which appears to be a video codec identified as installer.exe or better known as Trj/Exchanger. We expect that these type of attacks are only going to evolve over a period of time to be much more sophisticated.

More Information Here:

MSNBC Alerts masking CNN codec site

This morning several messages appeared to be coming from MSNBC breaking news alerts. However, it is another weird twist in the CNN spam campaign as the link will direct the user to the fake CNN video codec page to download the adobe_flash.exe (AV XP 2008). We expect to see in the next coming days variations of these messages as spammers find ways to entice users.

More details here

Generically detecting adobe_flash.exe with PEiD

Recently I have been investigating the adobe_flash.exe files associated with the latest round of CNN spam. During my analysis all of the binaries appeared to look and behave the same; however, some of the files are actually quite different. Therefore, using PEiD and Signature Explorer 3 I created two generic detection signatures for variations of the adobe_flash.exe file.

Details here:

CNN Spam Alerts: Common PE signature

The CNN Alerts spam campaign continues this morning with new email messages and new malware hidden behind the links. The latest change to the URL scheme they are using behind the “Full Story” link is cnnvid.html, cnnhottopics.html, cnnheadlines.html, cnncurrent.html, cnnplus.html, etc which directs the user to a fake video site.

Detailed Analysis here:

Syndicate content