Sunbelt IeDefender/zoey zane find still up and running

Monday morning, Adam Thomas of the Sunbelt crew posted about a sick0 scheme to use the information from a shocking news story about the death of a girl to lure in new rogueware IeDefender victims. While we haven’t seen a large spike in the downloads of this stuff, we’ve been monitoring the site — it remains up.

In our lab, we saw closely related but slightly different results. The videomp3_setup_.exe file, when manually run, pops a couple of different and changing windows:

Following the rogueware install, the software will open an Internet Explorer window, conveniently googling the term “sex” for you, and injecting its own html into the results, spoofing the google results. The first chunk of injected HTML is a warning posing as though it is from google: “Google Error! Your computer is infected!…”
The second chunk immediately follows the fraudulent claim. It inserts a pornographic image next to a phony link that claims to be on the youtube site (clicking on it directs you to a completely different porn domain, not youtube). You can see the (censored) fraudulent results here:

Unfortunately, scanner results seemed to be spotty to non-existent for this threat:

We’ve distributed samples to the appropriate people for inclusion in other security products’ protection.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>