WEEKLY REVIEW

This week was the adware week

If you haven't had enough spam or ad flooding, here's another load of e-threats that give you what you always desired. Ads from beginning to the end of the week. Some stealthily and smartly disguised others pushed to the victims with brute force.

Trojan.JS.Injector.A

Yet another e-threat dropped by the fierce
Trojan.Vundo. Unlike other injectors that make use of SQL programming flaws or
xss vulnerabilities to insert html into websites, this Trojan is resident on
the victims computer and attempts to modify every page is visited. Usually
injected html also breaks the design of websites, this one however is pretty
sleek. You wouldn’t even notice you’re infected unless you had an antivirus
program installed. So what does it do? Basically, when you visit a website it
will search the whole code for google adsense like ads, and will replace them
with it’s own. They look the same, they’re on websites you’re used to be on,
you already know that google adsense shows random content so, it looks
perfectly alright. The only noticeable thing is that those ads won’t be that
random anymore, since the script has a limited number of ads from which it can
choose from.

 

After the attempt to replace the code, the
Trojan will connect to the malware server and send information about what
website you visited, the current user, and a link to the actual ad that has
been replaced. If no ad had been replaced it just sends the rest of the
information.

 

Adware.FakeAntiVirus.L

And here we go again, same fools trying to
trick us into buying some “antivirus” software because they “scanned” our
computer from their website and “found” all the dangerous infections it’s
listing there. This time, it’s called “Antivirus 2009” but it’s using the same
technique described over and over on hotforsecurity.com and other security
bulletins. Warnings show up, Windows notifications appear and sometimes even
trusted (but compromised) websites start displaying waring images like below.

Adware.Fake.Antivirus.L

Adware

Adware.NaviPromo.Gen.2

Still not tired of adds? No problem. We got
them for you, served in bunches, smartly selected after “carefully” monitorization of your browsing habits. Oh, we didn’t mention? Well now you know. Adware.NaviPromo sends information about the websites you visit back to
its creator. And if that’s not enough, it is also pretty hard to remove. It has
rootkit capabilities and hides it’s files and registry entries just to make out
lives a little more harder to live.

 

The Trojan comes bundled with different
kinds of software, from instant messenger skinners (flashy emoticons) to all
sorts of adult material streaming. Even astrology applications and flash games.
The urls look similar to this:

 

[removed]netgamebox.com
[removed]ediaplayer.com
[removed]planet.com
[removed]skinner.com
[removed]stro.com
[removed]cord.com
[removed]ngerskinner.com

 

Adware.Navipromo usually resides in %SYSTEM% or C:Documents and
Settings[USER]Local SettingsApplication Data. After the first execution it
creates and hides one or more files with random names that end in:

[rand].dat
[rand]_nav.dat
[rand]_navps.dat
[rand]_navup.dat
[rand]_navtmp.dat
[rand]_m2s.xml
[rand]_m2s.zl

 

It
injects code into running explorer.exe processes and connects like this
undetected to the Internet. From here it sends out the data mentioned earlier
and downloads new versions of itself to update.

 

Adware.Navipromo also adds entries in the registry in order to execute at system
startup.

 

Information in
this article is available courtesy of BitDefender virus researchers:

Cristian Lungu

Daniel
Chipiristeanu

Stefan Catalin
Hanu