Faux Adobe Sites Flourish

Friday, March 1, 2013 @ 03:03 PM gHale


There are some new fake Adobe Flash Player update websites that are serving up malware, researchers said.

Another aspect of these sites is they have a nice design, so it would be easy for a user to fall into the malware trap, said researchers at Symantec.

RELATED STORIES
Adobe Emergency Patch, Part III
Trojan a Work of ‘Poetry’
Ransomware Encrypts Data
Ransomware Uses Java Zero Day

However, when users click on other links than the “Download now” button, they go to the same malicious domain, instead of the legitimate Adobe site, as we’ve seen in other similar attacks.

When they visit the site, victims see two options: Download a file named “flash_player_updater.exe” or one called “update_flash_player.exe.”

The files are similar, but they exhibit different behaviors. They’re similar in the way that, when installed, they both start looking for passwords, FTP/telnet/SSH credentials, and SMTP, IMAP and POP3 credentials.

The first file, flash_player_updater.exe, installs ransomware, while update_flash_player.exe installs a component that enables the attacker to generate revenue via click fraud.

Symantec detects the ransomware in this case as Trojan.Ransomlock.Q. The victim will see a warning message from the FBI Cybercrime Division and urged to pay a fine in order to have the computer unlocked.

To make everything more convincing, the threat identifies the antivirus installed on the computer and displays its logo within the lock screen.

Users who choose to install the second file end up with a Trojan that downloads three files from a remote location. Once installed, the malicious elements run silently in the background to perform click fraud.

Obviously, users should never to pay the ransom money demanded by the crooks, since there’s no guarantee they will unlock the computer once the fine is paid. Also, by giving in to their demands, it’s likely that you’ll be on the top of their target list for future operations.



Leave a Reply

You must be logged in to post a comment.