How Blackhat SEO used to spread SystemVeteran Rogue Software ?

>> Thursday, November 26, 2009


Strategies used by cyber criminals to spread rogue software and other dangerous threats such as ZeUs Trojan or Zlob are always more oriented to web-based-spreading using Blackhat SEO andSocial Engineering to let the user download and install the malicious executable file. The most used method is to create a webpage, generally with pornographic content, that displays a fake image of a video and warn the user that to play and watch the video is needed the download and installation of a special codec or a false adobe player.

{ Read Full story }
This is the case of the malicious website named get2.tv that is using a massive comments spam strategy to promote the download of a false video codec letting the user think it is Adobe Flash Player and that its installation is needed to watch the fake video. The malicious website spammed its url with false queries, mostly oriented to porn or adult text, and used Blackhat SEO strategies to be sure to get more visitors and possibly more victims. You can see a screenshot of a google search with sites that contains the spammed malicious url used to capture visitors:

We can see also an image of an user of the Yahoo Answers Community that has spammed the malicious url with a false query as a response of a question related to the downloading of videos asked by a normal user:

If we click on the link to download the false codec we receive a request to install a file named setup.exe but it is not downloaded from get2.tv but from another malicious site namedszickfrost.com that hosts the infected file:

File Name: setup_exe
File Size: 53295 bytes
MD5 Hash: b005bee770d23120f0bdc571865536ca
SHA1 Hash: 334A9E2DCABB62C97A6BA94F905F75827CA9F4B0
Detection Rate: 3 on 18 (16.66%)
Status: INFECTED
Detections: Trojan.Win32.FakeSmokePacked.Win32.TDSS
When the downloaded file is executed, it connects to another malicious website namedsystemveteran.com to download 2 new executable files in the Temp Folder that are immediately executed:

From the first image of the program that is being installed by the false video codec file setup.exe we can see that it looks like a rogue software named SystemVeteran and that has already detected 46 false infections in our system:

The “funny” part of this rogue software is that it dropped in our system folders more than 100 fileswith random name that are then detected by SystemVeteran during the scanning process. Basically this program, when installed, drop a lot of infected files in our system folders so the user know that the files exists in the system and then it alert the user that his computer has been infected by thousands of malicious threats:

While SystemVeteran is running it will display security alerts on your desktop stating that your computer is under attack or that active malware has been detected. These alerts are just another tactic where they are trying to convince you that your computer has a problem and should be ignored. SystemVeteran purposely uses fake alerts and false scan results as a method to scare you into purchasing the software.
Below there is a partial list of all the files that were created in our system during the installation of the rogue software SystemVeteran:
C:\Program Files\SystemVeteran Software
C:\Program Files\SystemVeteran Software\SystemVeteran
C:\Program Files\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
C:\Documents and Settings\user\Desktop\SystemVeteran.lnk
C:\Documents and Settings\user\Start Menu\Programs\SystemVeteran.lnk
C:\Program Files\SystemVeteran Software\SystemVeteran\Uninstall.exe
C:\WINDOWS\system32\4fz9threat225425.ocx
C:\WINDOWS\system32\28725not-z-vi9u5491.exe
C:\WINDOWS\10b4spywar5191z.exe
C:\WINDOWS\system32\6791not-azv5rus464.ocx
C:\WINDOWS\system32\5479t5ojz5f.cpl
C:\WINDOWS\system32\958edownloazer1459.cpl
C:\WINDOWS\5df159r2637z.cpl
C:\WINDOWS\7245t9iefz269.cpl
C:\WINDOWS\1906not9a-vizu5165.exe
C:\WINDOWS\z2099orm55.exe
C:\WINDOWS\system32\2915th5e9tz1239.ocxT
C:\WINDOWS\system32\99315rojz99.ocxL
C:\WINDOWS\system32\124z5irus1b39.dll
C:\WINDOWS\system32\7e59zpa5se1645.dll
C:\WINDOWS\system32\5e76addwz9e26.dllP
C:\WINDOWS\system32\1f0c5a9kdoor1068z.ocx
C:\WINDOWS\6649hacktz59604.ocx
C:\WINDOWS\9z9ad5ware983.exe
C:\WINDOWS\57z25orm692.cpl
C:\WINDOWS\system32\759zs59al1887.cpl
C:\WINDOWS\868sp5mbot9ze.cpl
C:\WINDOWS\591z9troj1f7.exe
C:\WINDOWS\z3839troj9955.exe
C:\WINDOWS\29176nzt-a-v9r5s713.exe
C:\WINDOWS\z398spy235.cpl
C:\WINDOWS\2bc9threat19635z.cpl
C:\WINDOWS\14z0th5eat5559.exe
C:\WINDOWS\z9571spamb9tc3.ocx
C:\WINDOWS\system32\36c9bazk5oor3178.ocx
C:\WINDOWS\system32\29925zorm7c5.dll
C:\WINDOWS\72cthre5t5269z.ocx
C:\WINDOWS\system32\45649ro5z7d.ocx
C:\WINDOWS\system32\9272steaz785.ocx
C:\WINDOWS\4ab6thzef1795.exe
C:\WINDOWS\system32\9647downlozder451.exe
C:\WINDOWS\system32\15a5baczd9or2493.exe
C:\WINDOWS\system32\17239not-a-vi9usz85.ocx
C:\WINDOWS\system32\1z0249p5509.dll
C:\WINDOWS\system32\2790stealz518.exe
Following regisry keys were created by SystemVeteran:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemVeteran
HKEY_LOCAL_MACHINE\SOFTWARE\SystemVeteran
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SystemVeteran
Note that when installed, this program will be configured to start automatically when you load Windows by adding the registry value named “SystemVeteran” in the HKCU\..\Run key.
Be always sure to not download unknown codecs or files and to download the real Adobe Flash Player from the original website (get.adobe.com/flashplayer/).



blog comments powered by Disqus

Post a Comment

Related Posts with Thumbnails

  © Blogger template Webnolia by Ourblogtemplates.com 2009

Back to TOP