Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A. The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
Obviously, it’s disguised as an Adobe Flash Player 11 installer. The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see all the conditions of installation. However, you can highlight the entire text using your mouse so you can see, right at the end, there’s a message describing a key condition: * YOUR BROWSER HOMEPAGE WILL CHANGE WITH <URL>IF YOU ACCEPT THIS, PLEASE CONTINUE. Note: <URL> is the page that this trojan sets your start page to. Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change their browser’s start page. When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe from the following url:hxxp://aihdownload.adobe.com/bin/install_flashplayer11x32ax_mssd_aih.exe It then changes the user’s browser start page. It changes the start page for the following browsers:
to one of the following pages:
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing. A bit of research indicates that these sites were created fairly recently:
Domain information - from domaintools.com: hxxp://www.anasayfada.net Created: 2013-02-15Ip address: 22.214.171.124IP location: Manisa - Manisa - Dgn Teknoloji Bilisim Yayincilik Sanayi Ve Limited Sirketi The file 1ac150ddb964722b6b7c96808763b3e4d0472daf is reported downloaded from: hxxps://flash-player-download.com/FlashPlayer.exedomain: flash-player-download.comCreated: 2013-03-04Ip address: 126.96.36.199IP location: England - Gosport - Redstation Limited
The file 7b50ac5bbd21b945df128c2606402ef68533dc30 is reported downloaded from: hxxp://www.yonlen.net/flash_player.exedomain: yonlen.netCreated: 2012-10-29Ip address: 188.8.131.52Ip location: England - Gosport - Redstation Limited hxxp://www.heydex.comCreated: 2013-01-22Ip address: 184.108.40.206IP location: Istanbul - Istanbul - Hosting Internet Hizmetleri Ltd Sti
Aside from the misleading GUI, the File Properties are also disguised as if the file was from Adobe: File Version: 220.127.116.11Description: Adobe Flash DownloaderCopyright: 2012 Ironion Comments: Flash Downloader AcceletorCompany: Adobe IncFile Version: 2.01Internal Name: flashLanguage English (United States)Legal Trademarks: 2012 IronionOriginal Filename: flash.exeProduct Name: Flash DownloaderProduct Version: 2.01 It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA (why do they bother?), misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week. Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying 'no' to content you don't trust. Jonathan San Jose