Links to LuckySploit exploit pages are being sent over gaming collaboration tools with the end goal of installing rogueware/scareware Spyware Protect 2009, still being hosted at antiwareprotect.com:
Name: antiwareprotect.com
Address: 91.212.65.122
inetnum: 91.212.65.0 - 91.212.65.255netname: EUROHOST-NETdescr: Eurohost LLCdescr: Provider Local Registrycountry: UAremarks: ---------------------------------------------------------------------------------------------remarks: Trouble:Please report abuse incidents to abuse@eurohost.biz.uaremarks: Trouble:Messages sent to other contact addresses may not be acted upon.remarks: ---------------------------------------------------------------------------------------------org: ORG-EL76-RIPEadmin-c: MI1858-RIPEtech-c: NOC114-RIPE
organisation: ORG-EL76-RIPEorg-name: Eurohost LLCdescr: Eurohost LLCaddress: Evpatoria, Crimea, Ukraineabuse-mailbox: abuse@eurohost.biz.ua
role: Network Operations Centreaddress: Evpatoria, Crimea, Ukraineaddress: Evpatoria, Crimea, Ukrainenic-hdl: MI1858-RIPEmnt-by: EUROHOST-MNT
The arrival of a link in text is somewhat out of the ordinary, because most of these gaming tools are voice chat clients. But players of MMPORG online games like Counter Strike and World of Warcraft should be aware that links are being sent out via popular chat clients that redirect to LuckySploit hosting sites. Typically, an invitation to check out a new game or mod is delivered. The end result usually is an “install.exe” file downloaded and executed due to successful exploitation of a vulnerable version of Adobe Acrobat Reader, which in turn installs “sysguard.exe”. Pop-ups from this rogueware pummel the screen with consistently poor english grammar, false detections and phony alerts like “Windows Security alert: Windows reports that computer is infected”:
Back in February, we posted on the Spyware Protect 2009 group’s hosts file abuse (with modifications to browser-security.microsoft.com, which is not a legitimate site), and then again in March, with hosts file modifications leading to phony AV reviews.
It also is somewhat unusual to see such a site in this space (hxxp://v-state(dot)com/pool/ or 212.117.185.40):
Name: v-state.com
Address: 212.117.185.40
inetnum: 212.117.160.0 – 212.117.191.255
netname: LU-ROOT-20071108
descr: root eSolutions
country: LU
org: ORG-re8-RIPE
admin-c: AB99-RIPE
tech-c: RE655-RIPE
organisation: ORG-re8-RIPE
role: root eSolutions
address: Luxembourg
e-mail: info@root.lu
If you receive a malicious link to check out a new game while playing WoW or Counter Strike as a part of a larger team, please let us know. ThreatFire is preventing a fairly high number of related LuckySploit acrobat reader attacks in the community.
