Last week PandaLabs discovered a new tool for creating fake YouTube video pages as a way of deceiving users into installing malware. The vector for infection is similar to many fake codec based malware attacks seen in recent weeks (CNN, MSNBC, etc).
The flexibility of this tool allows anyone to direct the fake Adobe Flash update error to any malicious executable file hosted on any server - this means that essentially a hacker could register several domains in different countries (as seen in the CNN alerts attack) and utilize a bot-net to distribute a mass amount of spam pointing to these fake YouTube pages.
This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.
A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.
Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008.
Spammers continue their efforts today with another round of celebrity oriented spam designed to entice users into watching a non-existent video. The fake video site exhibits the same behavior found in the CNN and MSNBC spam attacks covered earlier this month (i.e. a popup message indicates that the ActiveX movie control is out of date and the user is required to install an update to properly view the video).
It is apparent that the spammers are very interested in getting a large number of users to install and use false security products such as AV XP 2008 and it’s variants in an effort to generate revenue.
This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.
We have been tracking a number of spam messages over the last couple of days pertaining to celebrities involved in a number of odd and unexplained activities. The binary file being delivered in this latest spam run involving Paris Hilton is stream.exe which is meant to lure a user into executing the file hidden behind the link, thus, the user thinking he/she will be viewing a video is actually getting a Trojan. Stream.exe is identified as a varient of Trj/Exchanger.
The file has been uploaded with the name of stream.exe with a3aec9130af6f69c715dc6eb89949079.
This morning we detected another spam campaign with a very similar motivation to the MSNBC and CNN spam attacks that were detected recently. The vector for infection is a re-direction to a phony video page. In this case the user is asked to download an update which appears to be a video codec identified as installer.exe or better known as Trj/Exchanger. We expect that these type of attacks are only going to evolve over a period of time to be much more sophisticated.
This morning several messages appeared to be coming from MSNBC breaking news alerts. However, it is another weird twist in the CNN spam campaign as the link http://breakingnews.msnbc.com will direct the user to the fake CNN video codec page to download the adobe_flash.exe (AV XP 2008). We expect to see in the next coming days variations of these messages as spammers find ways to entice users.
Recently I have been investigating the adobe_flash.exe files associated with the latest round of CNN spam. During my analysis all of the binaries appeared to look and behave the same; however, some of the files are actually quite different. Therefore, using PEiD and Signature Explorer 3 I created two generic detection signatures for variations of the adobe_flash.exe file.
The CNN Alerts spam campaign continues this morning with new email messages and new malware hidden behind the links. The latest change to the URL scheme they are using behind the “Full Story” link is cnnvid.html, cnnhottopics.html, cnnheadlines.html, cnncurrent.html, cnnplus.html, etc which directs the user to a fake video site.