Malware Authors Profit From Disasters

McAfee Labs has discovered another attempt by ruthless malware authors to profit from disaster and tragedy.

While searching for information on the earthquakes and tsunami that struck the islands of American Samoa on 29 September, I saw the following results from the Google search engine:

Clicking on one of the links, which at first sight seem to be legitimate, would result in my machine displaying an alert for a possible infection:

What is actually happening behind the scenes of my browser (in this case Internet Explorer Version 8 on a patched Windows XP system) is that the link silently connects to a server hosted in Poland that loads an exploit obfuscated with the well-known Dean Edwards packer, which I covered in a blog last year.

This is a snippet of the exploit being loaded:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('28 61={"174":35,"295":35,"297":35,"614":35,"298":35,"233":-1,"272":"\\36\\21\\19\\36\\21\\19\\36\\36<!---->\\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36203 755\\21\\19 \\21\\19\\36\\36\\36752 131 461\\21\\19\\36\\36\\36754 726 282 645\\21\\19\\36\\36\\36787 13 795\\21\\19 \\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36796 576\\21\\19 \\21\\19\\36\\36\\36325 794 576\\21\\19\\36\\36\\36325 181\\21\\19\\36\\36\\36572 181\\21\\19\\36\\36\\36<17 31=

And this is a snippet of an interesting part of the unobfuscated version of the exploit:

{kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=
function(e,c,b){if(!kPromo.instructions.property.isInstructionActive) if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+
kPromo.alerts.windows.length:"alert_window_0";
kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild
(kPromo.document.getDocumentElementByID(e));
kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].


The exploit in turn connects to a server hosted in China that downloads (with user interaction) an executable that turns out to be yet another variant of the fake anti-virus software Windows PC Defender. For details of that software, you can see a recently published VIL here.

After just a few minutes of the malware running, information such as the Windows Product ID and the Windows License Key on the system are sent to a server hosted in Russia.

It’s amazing how fast and well-prepared malware authors are nowadays. They seize opportunities that arise to exploit not only our machines but also our trust and confidence in the news. They make use of well-known techniques (such as search-engine optimization) strengthened by people’s emotions toward world-wide tragic events that are followed by millions (who are themselves victims of a lesser tragedy).