Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: WEEKLY REVIEW
This week was the adware week
If you haven't had enough spam or ad flooding, here's another load of e-threats that give you what you always desired. Ads from beginning to the end of the week. Some stealthily and smartly disguised others pushed to the victims with brute force.
Yet another e-threat dropped by the fierce Trojan.Vundo. Unlike other injectors that make use of SQL programming flaws or xss vulnerabilities to insert html into websites, this Trojan is resident on the victims computer and attempts to modify every page is visited. Usually injected html also breaks the design of websites, this one however is pretty sleek. You wouldn't even notice you're infected unless you had an antivirus program installed. So what does it do? Basically, when you visit a website it will search the whole code for google adsense like ads, and will replace them with it's own. They look the same, they're on websites you're used to be on, you already know that google adsense shows random content so, it looks perfectly alright. The only noticeable thing is that those ads won't be that random anymore, since the script has a limited number of ads from which it can choose from.
After the attempt to replace the code, the Trojan will connect to the malware server and send information about what website you visited, the current user, and a link to the actual ad that has been replaced. If no ad had been replaced it just sends the rest of the information.
And here we go again, same fools trying to trick us into buying some "antivirus" software because they "scanned" our computer from their website and "found" all the dangerous infections it's listing there. This time, it's called "Antivirus 2009" but it's using the same technique described over and over on malwarecity.com and other security bulletins. Warnings show up, Windows notifications appear and sometimes even trusted (but compromised) websites start displaying waring images like below.
Still not tired of adds? No problem. We got them for you, served in bunches, smartly selected after "carefully" monitorization of your browsing habits. Oh, we didn't mention? Well now you know. Adware.NaviPromo sends information about the websites you visit back to its creator. And if that's not enough, it is also pretty hard to remove. It has rootkit capabilities and hides it's files and registry entries just to make out lives a little more harder to live.
The Trojan comes bundled with different kinds of software, from instant messenger skinners (flashy emoticons) to all sorts of adult material streaming. Even astrology applications and flash games. The urls look similar to this:
[removed]netgamebox.com
[removed]ediaplayer.com
[removed]planet.com
[removed]skinner.com
[removed]stro.com
[removed]cord.com
[removed]ngerskinner.com
Adware.Navipromo usually resides in %SYSTEM% or C:\Documents and Settings\[USER]\Local Settings\Application Data. After the first execution it creates and hides one or more files with random names that end in:
[rand].dat
[rand]_nav.dat
[rand]_navps.dat
[rand]_navup.dat
[rand]_navtmp.dat
[rand]_m2s.xml
[rand]_m2s.zl
It injects code into running explorer.exe processes and connects like this undetected to the Internet. From here it sends out the data mentioned earlier and downloads new versions of itself to update.
Adware.Navipromo also adds entries in the registry in order to execute at system startup.
Information in this article is available courtesy of BitDefender virus researchers:
Cristian Lungu
Daniel Chipiristeanu
Stefan Catalin Hanu
MALWARE HISTORY - SPYWARE, ADWARE and PHISHING
Agent.JEN Trojan sent out via fake UPS e-mails
Powered by