More...Compromised Web Servers Serving Fake Flash Players
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 22.214.171.124/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and runnin
g... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
File size: 78848 bytes
The downloader then "phones back home" at 126.96.36.199 port 443 which is responding to the rogue security software AntiSpy Spider
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
File size: 1851904 bytes
The bottom line - over a thousand domains are participating
, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."
Current Adobe Flash Player version 188.8.131.52