Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    TrendLabs SM engineers recently discovered an interesting Shockwave Flash (.SWF) file that displays an image and downloads a worm with code capable of initiating a denial-of-service (DoS) attack.

    The file detected as SWF_PALEVO.KK is hosted on a malicious site and runs whenever users access the site. Once loaded, it displays a screenshot of a YouTube video. The said image, however, is embedded with a malicious link (and is of course not a real YouTube video).

    Click for larger view

    Clicking the image leads users to a malicious site (http://www.{BLOCKED}{BLOCKED}layer10.0.45.2.exe) to download a file detected by Trend Micro as WORM_PALEVO.KK. Upon execution, the worm displays a fake dialog box purporting to be an  Adobe Flash Player installation with instructions in French. Clicking any of the given choices leads to the execution of the malware on the affected system.

    Click for larger view

    Apart from infecting users’ systems, however, WORM_PALEVO.KK can also initiate a DoS attack that can disable a website, shut down a network, or disrupt a service. This attack is initiated by a remote server that is controlled by a malicious user. The worm receives commands from the remote server to perform several actions such as downloading other malware, downloading updates of itself, and launching a SYN flood attack against target systems. It can also spread and infect a large number of systems since it propagates using MSN Messenger and peer-to-peer (P2P) applications.

    The variants WORM_PALEVO.KK and SWF_PALEVO.KK are detections related to the the Mariposa botnet. Users are strongly advised against visiting suspicious-looking sites and clicking the links and images found in them.

    Trend Micro™ Smart Protection Network™ protects users from this particular threat by blocking access to the malicious site via the Web reputation service and by detecting and preventing the download and execution of SWF_PALEVO.KK and WORM_PALEVO.KK on affected systems via the file reputation service.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice