Spoofing video codecs and third party video player plugin upgrades have proven to be an effective way to fool users into running malware on their systems. Malware does not need to spread effectively by exploiting vulnerable and unpatched code on a system.
Another extremely common and effective technique has been convincing users that their friends are sending them pictures. Attackers will use a variety of legitimate sounding Urls, alter the icons of the files they want users to run so that executables appear to be image files, and modify filenames to appear to be image files. These sorts of techniques are very common right now.
ThreatFire is currently preventing a high number of users from running an IM worm and its accompanying downloaded bot. The worm attempts to send itself out to MSN Messenger users’ address book contacts, convincing friends that fun pictures await. This worm installs an IRCbot, adding the machine to yet another botnet. Here is a handful of files being spread at the moment:
Image.php hosted at hxxp://hi5-album.com, hxxp://hi5-foto.net, and a number of other legitimate sounding Urls redirect users to a variety of files at
with file names like PIC2009-02-15-JPG.exe, PICT1321.JPG.EXE, PICT0018.JPG.EXE and the others in the screenshot above. The downloads icons appear exactly as in the screenshot above, and when extensions are turned off for known file types (a Windows explorer setting) a user may not realize that they have an executable and not an image on their system. And because of the icon tampering, they look even more like jpg and gif files.
We’ve been posting about this sort of scheme for some time now. It continues to be effective and users need to be more aware of the techniques used.