As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.
In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.
In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.
The hack itself was pretty rudimentary: You visit a page on the malicious domain, the graphic appears, and if you click the graphic, it starts the browser downloading a file called adobe_flash_update.exe. Never mind the fact that the real Adobe Flash updater doesn’t use a file with this filename to perform its updates.
Oh, and if you don’t click the graphic, it doesn’t matter: The page also loads a one-pixel-square iFrame from a Web server running on port 8080 on a different domain, named Lunchstroke.ru, registered in Russia. That site performs a drive-by download of a different malware payload.
Both payloads in this scenario are the ubiquitous Trojan-Backdoor-Zbot, a comprehensive password stealer and botnet client. It’s a nasty piece of malware delivered by a haphazard, cruddily built, halfhearted attack which, sadly, probably worked on at least some of its targeted victims—proving once again that social engineering remains the king of the malware jungle.