Exaggerated Virus Attack Delivers Fake AV

A careless mistakes ignored by the cyber crooks facilitated security researchers at Armorize to explore a malicious iFrame injection attack, which is posing a threat for netizens, as per news published in HELP NET SECURITY on August 18, 2011.

The researchers could easily find out of the exact number of affected domains as the attackers left a script tag unattended rendering one of their code dormant. This enabled the security expertise to detect the code and decode it as a normal text and made it searchable due to which perhaps over 536,000 pages could be detected.

In the beginning, the cyber crooks overlooked the insertion of a <script> tag in front of the actual spiteful code, which enabled Google to index it easily.

However, the attackers by now resolved their injection, which again poses a threat for another 22,000 websites to be infected again with a proper code. When a user accesses a compromised page, visitors are automatically directed back to a website that hosts them towards installating the BlackHole exploit package. However, BlackHole implement exploits that are intended to attack outdated versions of Flash Player, Adobe Reader, Java, and Windows.

Unfortunately, the cyber crooks have by now resolved their mistake as the injected script is invisible to Google now. Thus it is not possible to find out the exact number of affected pages. These kinds of attacks are known as drive-by downloads and are installed on the specific computers that are targeted.

Armorize also indicated that this malware is a forged antivirus application bearing fake names, such as "Security 2012" under Windows XP, "Vista antivirus 2012" under Windows Vista, and "Win 7 antivirus 2012" under Windows 7, according to SOFTOPEDIA on August 17, 2011.

Injection method of the attack as described by Armorize is to steal FTP credentials initially and then use the automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are initially stolen from personal Windows computers infected with the malware. The password files of FTP clients are stored by the malware searches, which can also realize the FTP traffic. The credentials that are stolen are sent back to the attackers.

Nonetheless, users are recommended to install the software on their PCs while regularly updating their computers. Also, they are advised to update the antivirus program on their computer for avoiding infections in future.

Related article: External Software Can Allow malware into Windows Vista

» SPAMfighter News - 8/27/2011