Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Fake Adobe Shockwave Player download page InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake Adobe Shockwave Player download page

Published: 2007-06-22
Last Updated: 2007-06-22 13:00:25 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Jason Frisvold wrote to us about a suspicious web page. One of his users visited the web page he submitted and subsequently got infected with a Trojan horse.

When we get reports of web pages like this one, I typically first download the web page with wget (faking the User Agent field, of course, so the target site thinks I’m using Internet Explorer). In almost 100% of cases the bad guys lately just insert hidden iframe links which point to web sites hosting various exploits.

However, the web site submitted by Jason didn’t have any such elements and I actually forgot about it until we heard again from Jason who managed to find out what happened here.

Shortly, it’s pure social engineering – the user is actually encouraged to install the malware himself. How does this work you might think?

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center, as you can see below:

Fake Shockwave Download Center

All the links on this web page lead to Adobe’s web site except for one (I’m pretty sure you can guess which one).

Besides creating a really nice replica of Adobe’s web site, the bad guys also added this little JavaScript to it:

var message="";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function("return false")

This JavaScript disables right click so you can’t use this context menu for any actions.

The downloaded malware contains a full installer that, when tested on VirusTotal, had very low detection.

Technically this attack wasn’t even worth the diary, however, the appearance could probably fool a lot of users. Although it’s extremely easy to see the fake web site (the URL was visible in the Address bar), the question is how many users would really do this. Would SSL help here? Yes, but again only if users pay attention and in this case they would first have to be trained to check for it when downloading files, and that’s another story.

Keywords:
0 comment(s)
Diary Archives