We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A.
The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:
Obviously, it’s disguised as an Adobe Flash Player 11 installer.
The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see all the conditions of installation. However, you can highlight the entire text using your mouse so you can see, right at the end, there’s a message describing a key condition:
* YOUR BROWSER HOMEPAGE WILL CHANGE WITH
IF YOU ACCEPT THIS, PLEASE CONTINUE.
Note: <URL> is the page that this trojan sets your start page to.
Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change their browser’s start page.
When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe from the following url:
It then changes the user’s browser start page. It changes the start page for the following browsers:
- Internet Explorer
to one of the following pages:
These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.
A bit of research indicates that these sites were created fairly recently:
Domain information – from domaintools.com:
Ip address: 220.127.116.11
IP location: Manisa – Manisa – Dgn Teknoloji Bilisim Yayincilik Sanayi Ve Limited Sirketi
The file 1ac150ddb964722b6b7c96808763b3e4d0472daf is reported downloaded from: hxxps://flash-player-download.com/FlashPlayer.exe
Ip address: 18.104.22.168
IP location: England – Gosport – Redstation Limited
The file 7b50ac5bbd21b945df128c2606402ef68533dc30 is reported downloaded from: hxxp://www.yonlen.net/flash_player.exe
Ip address: 22.214.171.124
Ip location: England – Gosport – Redstation Limited
Ip address: 126.96.36.199
IP location: Istanbul – Istanbul – Hosting Internet Hizmetleri Ltd Sti
Aside from the misleading GUI, the File Properties are also disguised as if the file was from Adobe:
File Version: 188.8.131.52
Description: Adobe Flash Downloader
Copyright: 2012 Ironion
Comments: Flash Downloader Acceletor
Company: Adobe Inc
File Version: 2.01
Internal Name: flash
Language English (United States)
Legal Trademarks: 2012 Ironion
Original Filename: flash.exe
Product Name: Flash Downloader
Product Version: 2.01
It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA (why do they bother?), misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week.
Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.
Jonathan San Jose