Malware Disguises as Flash Player Update to Infect Computers

Red Condor, an e-mail security firm, has released a warning about a new spam campaign that comprises both a malware threat and phishing ploy.

The e-mail requests its recipients to click on a web link provided in the body in order to update the "security mode" of their inbox. The link leads users to a website which suggests them that they should update their system with the latest version of Macromedia Flash Player by installing "flashinstaller.exe."

The installed code is nothing but a stealth banking Trojan that disables firewalls, pilfer financial data and enable hackers to access computer remotely.

The malware is known by various names like Win32:Zbot-MGA (Avast), PWS:Win32/Zbot.gen!R (Micorsoft), W32/Bifrost.C.gen!Eldorado (F-Prot) and PWS-Zbot.gen.v (McAfee).

The spam campaign was identified on November 20, 2009, and Red Condor took very active steps within six hours of its detection by blocking more than 500,000 e-mails. Moreover, the e-mail security company has blocked over 3.5 Million messages of this campaign.

Dr. Tom Steding, President and CEO of Red Condor, said that the protection of inboxes had assumed a commercial form by changing into a lucrative business and therefore cybercriminals, including spammers, were trying to reap profit from it. They were concentrating on the exploitation of e-mail users' growing security concerns, as reported by PRLOG on November 24, 2009.

Immediately reacting to the newly discovered threat, Red Condor applied and established a filtering rule to all the e-mail firewall and hosted service customers. Unfortunately, after several hours of threat detection, around 50% of total antivirus engines available in the market were able to recognize it, Steding said.

Spam messages that encourage users to update their Flash Player are quite common on the web particularly during the holiday season, but they are generally associated with a fake e-card or viral video. Security experts have asked e-mail users, particularly those who opened the e-mail, to immediately delete the messages and notify IT administrators.

In a similar news, security company Trend Micro also disclosed in August 2009 that it had discovered a spyware (TSPY_EBOD.A) purporting to be an Adobe Flash Player update. After execution, the spyware develops a Firefox add-on known as "Adobe Flash Player 0.2."

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 12/3/2009