Site icon Panda Security Mediacenter

Swedish news site compromised spreading fake antivirus

Today a Swedish and well-visited news site, AftonBladet, was compromised as it was serving visitors a fake antivirus or rogueware.

In fact, there was a malicious code targeting only Internet Explorer (IE) browser users. When the user visited Aftonbladet (using IE), he was redirected to another website which contained a fake warning from Microsoft Security Essentials. Once the user clicked on the warning message, nothing was fixed, but a malicious file downloaded.

The file was an obfuscated Visual Basic Executable. When trying to reproduce, it appeared it already was cleaned up, fast actions there.

Thanks to Jimmy, our Panda Security colleague from Sweden, Panda Security was able to obtain the malicious file:

File:    svc-ddrs.exe
Image icon:

Size:    1084416 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit

When executing the sample, a fake antivirus was launched.


Windows Efficiency Master

Fake scanning results

Besides dropping the usual EXE file in the %appdata% folder, it also dropped a data.sec file with predefined scanning results (all fake obviously).

For additional info, see content of data.sec.

This fake AV also performed the usual actions:

This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same.

Prevention

In this case, no exploit -nor Java/Adobe nor browser- was used. Only Javascript was injected.  So, follow these prevention tips:

Panda Security products keep you safe and protected against this threat, so we really encourage you to follow the tips above to stay protected.

We want to specially thank Bart, Panda Security Malware Technician from Benelux, for his great contribution on this malware research.

Exit mobile version