Malware Disguises as Antivirus

Tuesday, June 11, 2013 @ 04:06 PM gHale


A piece of malware called Bicololo, originally designed to target Russian Internet users, is now evolving.

A new version of the malware is on a Russian Android app site, said researchers at ThreatTrack Security. Designers of the malicious software actually disguised it as one of ThreatTrack’s products, VIPRE Antivirus.

RELATED STORIES
Self-Propagating Trojan Lives On
BIND 9 DoS Hole Patched
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached

After analyzing the app site, experts determined its sole purpose is to distribute malware disguised as software, games, movies and music. To make it more legitimate looking, the logos of various IT security companies end up displayed on the website.

When users press the button to download the bogus antivirus, they end up getting an archive file that contains an executable, “_vipre.exe” and a text file.

Once run, the executable deploys other malicious files. The HOSTS file on the infected system ends up modified to make sure every time victims visit a certain website, such as my.mail.ru, odnoklassniki.ru, ok.ru, m.odnoklassniki.ru or vk.ru, they go to corresponding phishing pages.

It was said that once Bicololo is run on a system, it drops and executes component files, such as batch (.bat) and script (.vbs) files, and then modifies the HOSTS file, said ThreatTrack researchers.

ThreatTrack Security’s Jovi Umawing reports the phishing pages have very nice designs.

Additional technical details regarding this Bicololo variant are available on ThreatTrack Security’s blog.



Leave a Reply

You must be logged in to post a comment.