Big events are always a good occasion to stir people's interest and curiosity – the key triggers to spread malware. A new product launch, a long-awaited show or even a technology conference could work as well. The funny thing is that somebody in the cybercrime business thought it would be a good idea to exploit no more, no less, than… this years' edition of Virus Bulletin conference which is underway in Barcelona.
A major event in the antimalware industry, VB International Conference gathers each year some of the most important names in the IT&C security, with speakers ranging from “dedicated anti-malware researchers to security experts from government and military organizations, legal, financial and educational institutions and large corporations worldwide”. It gets great coverage in media and probably some gazillion posts through social networks.
This provided the “bad guys” with a great opportunity – to broadcast Twitter messages purporting to deliver breaking news about the conference, but serving real-deal malware instead via shortened URLs, as you can see in the screenshot below.
Fig. 1 – Tweet about alleged VB news sending the inquisitive users towards malware.
What hides behind the shortened URL? A malware cocktail of a Trojan downloader and an installer. The downloader – hidden under the name of VB2011.exe (see the image below) – injects in SVCHOST.EXE process and attempts to download another file called Installation.exe.
Fig. 2 – The Trojan downloader disguised as the executable VB2011.exe.
Once launched, the installer can't be terminated and brings even more nasty files on the compromised machine, by connecting to additional malware-hosting domains. During installation, it opens numerous adware, gameware and porn pages in the Internet Explorer® browser, while also creating desktop shortcuts towards these pages.
Safe surfing everybody!
The malware descriptions in this article are provided courtesy of Doina Cosovan and Razvan Benchea, BitDefender Online Threats Researchers.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.