Rogue Anti-Virus’ Twin AttackSecurity Company Sophos has recently cautioned that an attack vector is being heavily used. Web-pages consisting of malevolent JavaScript and a similar applet are helping to launch the attack that eventually takes down bogus anti-virus software. Like always the JavaScript spells out the plug-ins for Web-browsers to validate the installation of Adobe Reader/Acrobat. If the validation is positive, then a malevolent PDF is downloaded. Sophos has blocked these PDFs as Troj/PDF Js-GA. The PDF features a deeply disguised JavaScript that tries to exploit a number of Adobe security flaws. Moreover, with the help of the applet, a JAR file is loaded identified as Troj/Java-B. The file consists of malevolent class files, which exploit a traditional flaw of privilege escalation within the context of ZoneInfo objects handling in the de-serialization process. In case the Java or PDF exploit works successfully, the attack downloads the payload from the said malicious website as well as executes it. It is believed that the payload is a downloader/installer for a rogue AV product named Internet Security 2010. The product appears so professional that anyone unfamiliar with scams related to fake anti-virus software can be duped. Typically, the Internet Security 2010 poses to scan the victim's computer and falsely reports of malware infections. Thereafter, it diverts the user onto vs-codec-pro.net that tells him that he must buy the program's complete version for removing those infections. Sophos explains that the possibility of the attack's success is made twofold on two fronts. If it is able to counter the computer's defenses, then the user falls into trouble. The downloader component replicates itself onto the user's computer, makes registry entries for fastening onto system startup as well as loads an .html file to the desktop rather than the background the user chooses. Meanwhile, regarding fake anti-virus software, security experts stated that they were always the most distributed malware, as they were spread through spam, SEO poisoning, hijacked websites, etc. Further according to the latest reports, Sophos has managed to stop the PDFs, JavaScript, the downloader and the JAR files. The company has also blacklisted the website hosting the rogue anti-virus. Related article: RSA Attendees Responsible for Wireless Vulnerability » SPAMfighter News - 2/17/2010 |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!