Today a Swedish and well-visited news site, AftonBladet, was compromised as it was serving visitors a fake antivirus or rogueware.
In fact, there was a malicious code targeting only Internet Explorer (IE) browser users. When the user visited Aftonbladet (using IE), he was redirected to another website which contained a fake warning from Microsoft Security Essentials. Once the user clicked on the warning message, nothing was fixed, but a malicious file downloaded.
The file was an obfuscated Visual Basic Executable. When trying to reproduce, it appeared it already was cleaned up, fast actions there.
Thanks to Jimmy, our Panda Security colleague from Sweden, Panda Security was able to obtain the malicious file:
File: svc-ddrs.exe
Image icon:
Size: 1084416 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
When executing the sample, a fake antivirus was launched.
Windows Efficiency Master
Fake scanning results
Besides dropping the usual EXE file in the %appdata% folder, it also dropped a data.sec file with predefined scanning results (all fake obviously).
For additional info, see content of data.sec.
This fake AV also performed the usual actions:
- Blocking of EXE and other files.
- Blocking of browsers like Internet Explorer.
- Callback to 93.115.86.197 where the Command and Control server is hosted.
- Stopping several antivirus services and preventing them from running.
- Rebooting initially to stop certain logging and monitoring tools.
- Using mshta.exe (which executes HTML application files) for the usual payment screen.
- Connecting to http://checkip.dyndns.org/ to determine your IP.
This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same.
Prevention
In this case, no exploit -nor Java/Adobe nor browser- was used. Only Javascript was injected. So, follow these prevention tips:
- Install an antivirus and antimalware product and keep it up-to-date and running.
- In order to have a greater control of the scripts running in your browser, use NoScript in Firefox or NotScripts in Chrome.
- Block the Command and Control server IP above mentioned (either in your firewall or host file).
Panda Security products keep you safe and protected against this threat, so we really encourage you to follow the tips above to stay protected.
We want to specially thank Bart, Panda Security Malware Technician from Benelux, for his great contribution on this malware research.