Fake AV’s double attack

Fake AV is regularly at the top of the lists of peddled malware, and part of the reason it’s because it is spread in a many different ways: spam, compromised websites, SEO poisoning, etc.

SophosLabs warns about a recently heavily employed attack vector: malicious applet and JavaScript contents open the way to the dynamical loading of the malicious PDFs.

In the PDFs, obfuscated JavaScript aims to exploit a number of Adobe vulnerabilities, while the applet loads a JAR file that endeavors to take advantage of an old privilege escalation vulnerability in the handling ZoneInfo objects during deserialization.

Coming at you from two sides, the likelihood of succeeding is doubled. If one of both manage to circumvent your defenses, you’re in for a ride! The installer file copies itself to your system, adds Registry keys to hook system startup and drops a .html file that will be loaded on your desktop instead of your chosen background. This is how it looks like:

Enough to frighten the nonprofessionals, don’t you think?

Anyways, after doing this, it inserts URLs that lead to the rogue software into the IE’s list of trusted sites, and downloads the fake AV from one of them and runs it on your computer. The name of this malicious program is Internet Security 2010, and its professional look can fool people unfamiliar with this kind of scam.

Sophos has, of course, blocked the JavaScript, the PDFs, the JAR file and the installer file, along with having blacklisted the malicious sites hosting the fake AV.