Fake AV on Drudge

I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.

File inst.exe received on 2010.05.06 14:31:04 (UTC)
Antivirus Version Last Update Result
a-squared 2010.05.06
AhnLab-V3 2010.05.05.00 2010.05.05
AntiVir 2010.05.06 TR/Fakealert.mnd
Antiy-AVL 2010.05.06
Authentium 2010.05.06
Avast 4.8.1351.0 2010.05.06
Avast5 5.0.332.0 2010.05.06
AVG 2010.05.06
BitDefender 7.2 2010.05.06 Trojan.FakeAlert.CCA
CAT-QuickHeal 10.00 2010.05.04
ClamAV 2010.05.06
Comodo 4779 2010.05.06
DrWeb 2010.05.06 Trojan.Fakealert.15369
eSafe 2010.05.05
eTrust-Vet 35.2.7471 2010.05.06 Win32/FakeAlert.E!generic
F-Prot 2010.05.06
F-Secure 9.0.15370.0 2010.05.06 Trojan.FakeAlert.CCA
Fortinet 2010.05.05
GData 21 2010.05.06 Trojan.FakeAlert.CCA
Ikarus T3. 2010.05.06
Jiangmin 13.0.900 2010.05.06
Kaspersky 2010.05.06 Packed.Win32.Krap.ai
McAfee 5.400.0.1158 2010.05.06
McAfee-GW-Edition 2010.1 2010.05.06
Microsoft 1.5703 2010.05.05
NOD32 5091 2010.05.06 a variant of Win32/Kryptik.ECX
Norman 6.04.12 2010.05.06
nProtect 2010-05-06.02 2010.05.06 Trojan.FakeAlert.CCA
Panda 2010.05.05 Suspicious file
PCTools 2010.05.06
Prevx 3.0 2010.05.06 High Risk Cloaked Malware
Rising 2010.05.06
Sophos 4.53.0 2010.05.06 Mal/FakeAV-CZ
Sunbelt 6267 2010.05.06 FraudTool.Win32.SecurityTool (v)
Symantec 20091.2.0.41 2010.05.06
TheHacker 2010.05.06
TrendMicro 2010.05.06
TrendMicro-HouseCall 2010.05.06
VBA32 2010.05.06
ViRobot 2010.5.6.2304 2010.05.06
VirusBuster 2010.05.06
Additional information
File size: 887824 bytes
MD5…: 2e797ae47b533739a234ffd66d736a55
SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34
SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202
ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp…..: 0x42f2757e (Thu Aug 04 20:07:26 2005)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x58000 0x57400 7.79 c8a376ad4f177f3ae434902b7b8f4a8f
.rdata 0x59000 0x1000 0x200 3.79 6d3e2283fc369479980764aca0706a36
.trash 0x5a000 0x80000 0x7f200 7.79 4579192af1340dc0f8377086beb4767c
.rsrc 0xda000 0xa3000 0x2000 5.14 00d9d5b447b6a0236d734be8ae5af459
.reloc 0x17d000 0x4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 2 imports )
> ntdll.dll: DbgPrint, DbgPrompt, NtPulseEvent, RtlUlongByteSwap, atan
> KERNEL32.dll: GetModuleHandleA, CreateFileA, GetLastError, WriteFile, ReadFile, GetVersionExA, ExitProcess, CloseHandle, GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId

( 0 exports )

RDS…: NSRL Reference Data Set
pdfid.: –
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
publisher….: n/a
copyright….: n/a
product……: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…..: n/a
signers……: –
signing date.: –
verified…..: Unsigned
<a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a>

In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>