I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.
| File inst.exe received on 2010.05.06 14:31:04 (UTC) | |||
| Antivirus | Version | Last Update | Result |
| a-squared | 4.5.0.50 | 2010.05.06 | – |
| AhnLab-V3 | 2010.05.05.00 | 2010.05.05 | – |
| AntiVir | 8.2.1.236 | 2010.05.06 | TR/Fakealert.mnd |
| Antiy-AVL | 2.0.3.7 | 2010.05.06 | – |
| Authentium | 5.2.0.5 | 2010.05.06 | – |
| Avast | 4.8.1351.0 | 2010.05.06 | – |
| Avast5 | 5.0.332.0 | 2010.05.06 | – |
| AVG | 9.0.0.787 | 2010.05.06 | – |
| BitDefender | 7.2 | 2010.05.06 | Trojan.FakeAlert.CCA |
| CAT-QuickHeal | 10.00 | 2010.05.04 | – |
| ClamAV | 0.96.0.3-git | 2010.05.06 | – |
| Comodo | 4779 | 2010.05.06 | – |
| DrWeb | 5.0.2.03300 | 2010.05.06 | Trojan.Fakealert.15369 |
| eSafe | 7.0.17.0 | 2010.05.05 | – |
| eTrust-Vet | 35.2.7471 | 2010.05.06 | Win32/FakeAlert.E!generic |
| F-Prot | 4.5.1.85 | 2010.05.06 | – |
| F-Secure | 9.0.15370.0 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Fortinet | 4.0.14.0 | 2010.05.05 | – |
| GData | 21 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Ikarus | T3.1.1.84.0 | 2010.05.06 | – |
| Jiangmin | 13.0.900 | 2010.05.06 | – |
| Kaspersky | 7.0.0.125 | 2010.05.06 | Packed.Win32.Krap.ai |
| McAfee | 5.400.0.1158 | 2010.05.06 | – |
| McAfee-GW-Edition | 2010.1 | 2010.05.06 | – |
| Microsoft | 1.5703 | 2010.05.05 | – |
| NOD32 | 5091 | 2010.05.06 | a variant of Win32/Kryptik.ECX |
| Norman | 6.04.12 | 2010.05.06 | – |
| nProtect | 2010-05-06.02 | 2010.05.06 | Trojan.FakeAlert.CCA |
| Panda | 10.0.2.7 | 2010.05.05 | Suspicious file |
| PCTools | 7.0.3.5 | 2010.05.06 | – |
| Prevx | 3.0 | 2010.05.06 | High Risk Cloaked Malware |
| Rising | 22.46.03.04 | 2010.05.06 | – |
| Sophos | 4.53.0 | 2010.05.06 | Mal/FakeAV-CZ |
| Sunbelt | 6267 | 2010.05.06 | FraudTool.Win32.SecurityTool (v) |
| Symantec | 20091.2.0.41 | 2010.05.06 | – |
| TheHacker | 6.5.2.0.277 | 2010.05.06 | – |
| TrendMicro | 9.120.0.1004 | 2010.05.06 | – |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.05.06 | – |
| VBA32 | 3.12.12.4 | 2010.05.06 | – |
| ViRobot | 2010.5.6.2304 | 2010.05.06 | – |
| VirusBuster | 5.0.27.0 | 2010.05.06 | – |
| Additional information | |||
| File size: 887824 bytes | |||
| MD5…: 2e797ae47b533739a234ffd66d736a55 | |||
| SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34 | |||
| SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202 | |||
| ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU | |||
| PEiD..: – | |||
| PEInfo: PE Structure information
( base data ) ( 5 sections ) ( 2 imports ) ( 0 exports ) |
|||
| RDS…: NSRL Reference Data Set – |
|||
| pdfid.: – | |||
| trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
|||
| Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99 | |||
| sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: – signing date.: – verified…..: Unsigned |
|||
| <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a> | |||
In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.