We’ve been tracking the malicious search campaign involving thousands of domains and pages cited at the Internet Storm Center desk this morning for some time now. A couple of the sites in China each host approximately 5,000 web pages that each incorporate the same link to one malicious javascript page targeting Windows users. Other servers around the world have basically the same configuration. ThreatFire users are protected.
It’s a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of “rogue security software” that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.
Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as “VideoAccessCodecInstall.exe”). It runs on a user’s system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the “video codec” connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner
So we’ve been visiting these malicious web sites in the lab, and they appear to prompt you to install a video codec, enticing you to check out the video that is about to play onscreen. But, in the background, the web page’s javascript identifies the OS, browser and JavaVM version of the visiting user and attacks the browser accordingly. Based on this information, it attacks multiple Microsoft vulnerabilities: MS06-014, MS06-006, MS05-001, MS03-011. It also can attack a couple of old Firefox vulnerabilities: first MFSA 2005-50, and if that attack fails on your firefox browser, it resorts to attacking MS06-006, which overflows a buffer in unpatched versions of Firefox.
Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system’s third party utilities patched, and maintain effective security products on your system.
We’ll keep you updated on the situation.
If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:
If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:
Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:
