We are seeing a number of hits from binaries served up from the Ukraine via web pages’ prompts from domains registered in China and hosted in the U.S. Now that’s international.
These sites in the Ukraine are linked to by servers all over the world, and serve up “Rogueware”, or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like “Delflob” or “Delf”.
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the “play video” title bar and the instruction “You must download the Video ActiveX Object to play”:
Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user’s system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file’s (%TEMP%GL76-tmp.exe) adjustments to security settings:
If the user allows the action to occur and then double clicks on “My Computer”, or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on “Ok”, this adware directs user’s browser to a web site peddling IeDefender, fraudulently claiming that the user’s system has been infected by an “unknown trojan” (implicitly something other than this garbage):
Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:
Even if one of our Threatfire users accepted the temp file’s attempt to change the system’s security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn’t seen the specific delivered binary before, it prompts the user:
ThreatFire will be picking these off as a part of the “Zlob” family.
You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.