Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

February 9th, 2010

Human exploiting

In this time, most of all new computers are sold with Windows 7 64bit. This new operation system and new processor features (DEP + ASLR) makes exploiting more difficult. Easier way how to run attacker’s code on victim computer is to convince users to download it voluntarily. Last week we received one interesting example. Let see it…

Almost everyone knows hosting site for open source projects. There is also hosted well know project PDFCreator. On picture below you can see download page with two Google AdSense advertising units.

Downloading is delayed to get some time for the user to read and click advertisements. Let’s look closer at the picture. The ad on the right side is made in graphic design similar to page. The natural step is click on big green button “Download Now!”.

Bad guys must be very good in SEO, as their choice of good keywords leads to displaying this exact ad on this exact page.

By clicking the button, you get to the fraudulent page. See the next picture…

Clicking anywhere on this page starts the downloading of the executable file (~300k). This file is lite downloader, but  not malicious. It does download 5MB file in proprietary format and installs it to common Program Files directory. There is suspicious additional file “PrinterSetup.exe” written in Delphi.

Many thanks for analysis and description to our user Pavel Hejrovský.

Categories: analyses, Virus Lab Tags:
  • Yanto Chiang

    Hi Michal,

    As your information at this blog, is it that website have suspicious malware if user clicked it?

    yanto chiang

  • Michal Trs

    Yes, exactly

  • Yanto Chiang

    Michal Trs :
    Yes, exactly

    Hi Michal,

    Ok then,

    Nice information to share.
    Keep updating about malware or virus family in this blog.
    So this blog will be more interesting to visit.

    Yanto chiang

  • Physics

    IN my computer
    all the files icons in some folders are displayed with a check box and cant open or select with a single click, the the check box shows a tick mark
    if we change the folder name then the files inside shows no problem. if we change to the previous name the problem reappearing..
    nothing found with virus scan..
    how can i solve this problem?

  • eZaroorat

    Shocking to know that attackers are using such a popular ad network to spread virus. Warrants the need to exercise more caution!!