Phishers Want You to Have a Coke and a Drive-by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.

Well, those days of hard work seem to have faded into memory. All we’re left now is this.

In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.

In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.

The hack itself was pretty rudimentary: You visit a page on the malicious domain, the graphic appears, and if you click the graphic, it starts the browser downloading a file called adobe_flash_update.exe. Never mind the fact that the real Adobe Flash updater doesn’t use a file with this filename to perform its updates.

Oh, and if you don’t click the graphic, it doesn’t matter: The page also  loads a one-pixel-square iFrame from a Web server running on port 8080  on a different domain, named, registered in Russia. That site performs a drive-by download of a different malware payload.

Both payloads in this scenario are the ubiquitous Trojan-Backdoor-Zbot, a comprehensive password stealer and botnet client. It’s a nasty piece of malware delivered by a haphazard, cruddily built, halfhearted attack which, sadly, probably worked on at least some of its targeted victims—proving once again that social engineering remains the king of the malware jungle.
wordpress blog stats

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s