Rogue Anti-Virus’ Twin Attack
Moreover, with the help of the applet, a JAR file is loaded identified as Troj/Java-B. The file consists of malevolent class files, which exploit a traditional flaw of privilege escalation within the context of ZoneInfo objects handling in the de-serialization process.
In case the Java or PDF exploit works successfully, the attack downloads the payload from the said malicious website as well as executes it. It is believed that the payload is a downloader/installer for a rogue AV product named Internet Security 2010. The product appears so professional that anyone unfamiliar with scams related to fake anti-virus software can be duped.
Typically, the Internet Security 2010 poses to scan the victim's computer and falsely reports of malware infections. Thereafter, it diverts the user onto vs-codec-pro.net that tells him that he must buy the program's complete version for removing those infections.
Sophos explains that the possibility of the attack's success is made twofold on two fronts. If it is able to counter the computer's defenses, then the user falls into trouble. The downloader component replicates itself onto the user's computer, makes registry entries for fastening onto system startup as well as loads an .html file to the desktop rather than the background the user chooses.
Meanwhile, regarding fake anti-virus software, security experts stated that they were always the most distributed malware, as they were spread through spam, SEO poisoning, hijacked websites, etc.
Related article: RSA Attendees Responsible for Wireless Vulnerability
» SPAMfighter News - 17-02-2010