NEWS FROM THE LAB - Tuesday, April 24, 2012

A Tumblr of Rogues Posted by Karmina @ 15:48 GMT

Rogue antivirus has not really taken much attention recently, probably because they are no longer boldly screaming in everyone's faces, as compared to the time a couple of years ago when most trending topics produced massive amounts of blackhat SEO-poisoned URLs.

So where are they lurking nowadays?

They are still using the SEO-poisoning method, of course. They do need to gain some visibility after all. But in addition to the usual compromised domains, they are now happily residing in Tumblr.

The screenshot below is taken from one of the several rogue-pushing Tumblr accounts:


And well, as an Internet user, when we are presented with a video and a play button in the middle what do we do? We click it! Right? And the video will promptly play… well, not this time. That "video" is actually an image. So, that innocent click activates the malware and will take you to a page which redirects to an exploit page and finally to a rogue antivirus.


It downloads a file named YvMiN.jar, which exploits Java vulnerability CVE-2012-0507. In addition, if the browser used is not Chrome, additional files (named DoNbI.pdf and hCJkApns.pdf) are also downloaded, which then exploit vulnerabilities in Adobe Reader, specifically CVE-2008-2992, CVE-2007-5659, and CVE-2010-0188.


Successful exploitation currently leads to a rogueware called Windows Performance Adviser.


So… tip of the day… if those wonderful videos are not on a trusted domain… don't click them… but… but… just don't. ;)

Safe surfing!