Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Cybercriminals again exploited one of the most-awaited global sports events—the “2010 Vancouver Winter Olympics”—to propagate at least two of their malicious wares. They piggybacked on the Olympics fever to promote malware-ridden sites.

    In an attempt to affect as many users as possible, cybercriminals poisoned Google search results regarding the upcoming event. As usual, clicking the malicious links to get the latest news lead to sites that either host a bogus Windows Media Player update (see Figure 1) or FAKEAV.

    Click for larger view

    Trend Micro advanced threats researcher Norman Ingal found that sites that led to a bogus Windows Media Player update, which urged users to download player_update.exe-1, actually asked them to download a malicious .EXE file detected by Trend Micro as BKDR_INJECT.ANI (see Figure 2).

    Click for larger view

    BKDR_INJECT.ANI drops an encrypted system file (configqkqitqie.sav) onto affected systems then connects to the site http://{BLOCKED} to possibly download more malware.

    The sites that lead to at least three FAKEAV variants (see Figure 3), on the other hand, download TROJ_FAKEVIME.AB, a FAKEAV component that connects to any of these two sites to download TROJ_FAKEAL.SMDP (aka Security Antivirus):

    • http://{BLOCKED}
    • http://{BLOCKED} oinstaller&abbr=SAV&setupType=xp&ttl=21105189b9a&pid=
    Click for larger view

    TROJ_FAKEAL.SMDP, like previously featured FAKEAV variants, also uses scareware tactics to convince users of infected systems to download and ultimately purchase a rogue antivirus application (see Figures 4–10).

    Click for larger view Click for larger view
    Click for larger view Click for larger view
    Click for larger view Click for larger view
    Click for larger view

    Fortunately, Trend Micro™ Smart Protection Network™ protects product users from these kinds of attack by blocking access to known malicious sites and domains via the Web reputation service by detecting and consequently deleting identified malware (i.e., BKDR_INJECT.ANI, TROJ_FAKEVIME.AB, and TROJ_FAKEAL.SMDP) from systems via the file reputation service.

    Non-Trend Micro product users can stay protected as well with Web Protection Add-On, a free tool that is designed to block access attempts to potentially malicious websites in real-time.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice