Michal Trs

9 February 2010

Human exploiting

In this time, most of all new computers are sold with Windows 7 64bit. This new operation system and new processor features (DEP + ASLR) makes exploiting more difficult. Easier way how to run attacker's code on victim computer is to convince users to download it voluntarily. Last week we received one interesting example. Let see it...

Almost everyone knows hosting site SourceForge.net for open source projects. There is also hosted well know project PDFCreator. On picture below you can see download page with two Google AdSense advertising units.

Downloading is delayed to get some time for the user to read and click advertisements. Let's look closer at the picture. The ad on the right side is made in graphic design similar to SourceForge.net page. The natural step is click on big green button "Download Now!".

Bad guys must be very good in SEO, as their choice of good keywords leads to displaying this exact ad on this exact page.

By clicking the button, you get to the fraudulent page. See the next picture...

Clicking anywhere on this page starts the downloading of the executable file (~300k). This file is lite downloader, but not malicious. It does download 5MB file in proprietary format and installs it to common Program Files directory. There is suspicious additional file "PrinterSetup.exe" written in Delphi.

Many thanks for analysis and description to our user Pavel Hejrovský.

Threat Research