Anti-Virus-1 Targets Ads and Adobe Flash

This post was written by admin on February 25, 2009
Posted Under: Exploits,malware,PC Security

Malware creators have now found new methods of compromising users computers.

One method used on the 24th February was found in advertisements on the eweek.com site, a popular online business computing magazine.

The advertisements were hosted on the Doubleclick advertisement network and when users clicked on the ads they were redirected through a series of iframes to adult websites which then attempted to load a PDF file using a known vulnerability which is unrelated to the current zero-day threat.

It must be stressed that eweek.com is clean of any infection as they managed to isolate and remove the threat to users.

This is currently believed to be an isolated incident, but malware vendors will be keeping a close eye on future developments and further exploits.

The server places a file named 'winratit.exe' into the users temporary files folder and stays there without any user interaction as well as dropping two other files which modify the Hosts file so that when a user tries to download programs to fix the problem they are redirected to further malicious sites which host Anti-Virus-1.

If the user registers this rogue program they are then redirected to another site which has been set up to collect payment details from victims.

Another method being employed is when visiting infected sites users are prompted to update adobe flash even though they have the most recent version installed.

Again, it re-directs users to another malicious site and will attempt to download and install Anti-Virus-1 on to their computers.

If you are prompted to update adobe flash only do so through the official Adobe download site.

The latest version of Adobe Flash Player is 10.0.22.87

The exploit code was uploaded to virustotal who have reported that only six vendors were currently detecting this exploit: Symantec, BitDefender, GData, nProtect, Secure-Web Gateway and AntiVir.