Rogue Anti-Virus’ Twin Attack

Security Company Sophos has recently cautioned that an attack vector is being heavily used. Web-pages consisting of malevolent JavaScript and a similar applet are helping to launch the attack that eventually takes down bogus anti-virus software.

Like always the JavaScript spells out the plug-ins for Web-browsers to validate the installation of Adobe Reader/Acrobat. If the validation is positive, then a malevolent PDF is downloaded. Sophos has blocked these PDFs as Troj/PDF Js-GA.

The PDF features a deeply disguised JavaScript that tries to exploit a number of Adobe security flaws.

Moreover, with the help of the applet, a JAR file is loaded identified as Troj/Java-B. The file consists of malevolent class files, which exploit a traditional flaw of privilege escalation within the context of ZoneInfo objects handling in the de-serialization process.

In case the Java or PDF exploit works successfully, the attack downloads the payload from the said malicious website as well as executes it. It is believed that the payload is a downloader/installer for a rogue AV product named Internet Security 2010. The product appears so professional that anyone unfamiliar with scams related to fake anti-virus software can be duped.

Typically, the Internet Security 2010 poses to scan the victim's computer and falsely reports of malware infections. Thereafter, it diverts the user onto vs-codec-pro.net that tells him that he must buy the program's complete version for removing those infections.

Sophos explains that the possibility of the attack's success is made twofold on two fronts. If it is able to counter the computer's defenses, then the user falls into trouble. The downloader component replicates itself onto the user's computer, makes registry entries for fastening onto system startup as well as loads an .html file to the desktop rather than the background the user chooses.

Meanwhile, regarding fake anti-virus software, security experts stated that they were always the most distributed malware, as they were spread through spam, SEO poisoning, hijacked websites, etc.

Further according to the latest reports, Sophos has managed to stop the PDFs, JavaScript, the downloader and the JAR files. The company has also blacklisted the website hosting the rogue anti-virus.

Related article: RSA Attendees Responsible for Wireless Vulnerability

» SPAMfighter News - 17-02-2010

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial