It’s a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of “rogue security software” that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.
Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as “VideoAccessCodecInstall.exe”). It runs on a user’s system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the “video codec” connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner
Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system’s third party utilities patched, and maintain effective security products on your system.
We’ll keep you updated on the situation.
If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:
If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:
Here is an example of ThreatFire identifying one of the downloaders, running on a lab system: