Sunday, December 6, 2009

Disinformation campaign to spread malware

Disinformation is basically distort or manipulate the information so that the recipient end believing something completely untrue, and which the originator obtains an advantage. For example, the rumor is a tool used in the campaigns of disinformation. In turn, misinformation is a tool that provides useful information in a timely manner (Intelligence).

Transferred this concept to the computer field, is neither more nor less than a social engineering methodology that increasingly used by developers of malicious code to try to attract the confidence of users and thus take advantage of this condition to execute the process of infection.

Usually we see on the pages scareware rate spread malware (also known as rogue), where we find pictures of certifications such as Virus Bulletin and AV-Comparatives, or some other like PC Magazine or PC World that don't fulfill the same function as the magazine formerly known as they are enjoying "trust" among the public.

Another alternative is focusing its efforts on trying to prove that this "solution" (scareware) is the best. This is done through false compare where it gets questioned the detection levels of antivirus companies widely known in the market.


Both strategies of deception appeal to what is known under the concept of authority represented by these certificates and publications in the "real" antivirus and information technology respectively.

In this regard, I recently discovered another method of deception is also directed to issue disinformation with the aim of encouraging users to believe the information and act accordingly.

It's pretending that the file is provided free of malicious code, also appealing to authority, but in this case, enabling organizations to verify the integrity of files through an online process to submit the files to antivirus solutions with greater confidence in the market. For example, services such as VirusTotal or VirScan. We then see a catch.
The domains involved are housed in the IP 213.5.64.20, located in the Netherlands (Netherlands Altushost Inc) but not all spread the threat. Among them:

safehostingsolutions.com/download.html
fileaddiction.com/download.html
freedatatransfer.com/download.html
freedownloadthanks.com/download.html
megasecuredownload.com/download.html
qualityupload.com/download.html

The files that are downloaded are the following names:
  • Hpack Generator.exe (91b31ea8c551397cd5b1d38ec1aa98dd) - Result: 8/40 (20.00%)
  • UAV Generator.exe – Idem
  • Knight Generator.exe – Idem
  • LG Generator.exe – Idem
  • Kings Generator.exe – Idem
  • DBlocks Generator.exe (53e3256bef0352caf794b641f93a32d5) - Result: 6/40 (15%)
As can be seen that besides the new proposal for cheating despite being quite trivial has a high impact on effectiveness, the level of detection in the two malicious codes is very low, representing only 15% and 25% of 41 antivirus engines.

It isn't to panic but to be vigilant.

Related information

A recent tour of scareware XVIII
Inteligencia informática, Seguridad de la Información y Ciber-Guerra
Deception techniques that do not go out of style

Jorge Mieres
Pistus Malware Intelligence

No comments: