A Russian site is urging users to upgrade their security software:
xtot.ru
In English:
The file is hosted on that same site at xtot.ru/install_flash_player.exe
Upon installing this ‘Flash Player update’ the following installation screens appear:
Although it looks like the real thing, it is not. Hackers took the original file and added their own malicious code to it.
This is not that obvious though and at the moment only 2 AV products out of 43 are detecting this on VirusTotal.
The bad guys were sneaky. There is no obvious sign of malware infection except for one small change to the Windows Hosts file:
A thousand empty lines below.
Vkontakte is more or less the Russian equivalent of Facebook. This line in the Hosts file will redirect traffic to the 95.169.186.9 IP when browsing to vkontakte.ru.
When the user browses to the social networking site, everything appears in order. For example, the URL in the address bar is not changed.
In fact, the underlying traffic shows that everything is routed through the bad IP. (For info, vkontakte’s IP is 87.240.188.254).
This means that when the user enters their credentials, they will be sent to criminals on the 95.169.186.9 server.
The server is located in Germany and registered to Ivan Gladenko and Kirill Marchenko.
The ASN for that IP is: AS31103 (KEYWEB-AS Keyweb AG) and well known by security researchers.
Jerome Segura
Leave a reply
