NOTE: information is based on a sample captured on 2013-06-21
Originally thought to be another Unknown EK, this suspicious kit turned out to be nothing but a phoney Java update notification. There is no exploit involved here - just plain and simple attempt to trick users to click 'Yes' on the Security Warning window to allow the applet to run with elevated privileges. 'Goofware' seems to be a suitable tag for this pest, though there is probably a better name for this malware type already.
"Facebook... Google... Bing..."
This throws me back to November 2010 when the first instance of "Facebook 'Love' button" malware was detected by McAfee experts. The sample analyzed in this post has lots in common with it. This time though it spreads under Google's banner. The following is the URL pattern seen:
The referrer for the landing page was Microsoft's Bing service. Searching for 'google ca' through it, yielded the link - 'www.google-ca.com'. The landing page is a complete replica of an outdated Google Search page with a couple of small alterations.
When a web page is saved with IE 4.0 and later, a comment is added to it, just like the one in the image above. It's called 'Mark Of The Web'. It states where the original location for the page is and tells IE's 'Local Machine Lockdown' feature how to treat the file when reopening from the local disk. More details can be found here.
Java JAR file is requested through an <applet>. The only parameter passed to JVM is called 'file' and its value is the first payload URL. No encoding or obfuscation used - all in plain text.
The points to note here:
- 'digital signature cannot be verified...' warning
- 'spaces' are replaced by 'underscores' in the application name
- application publisher is 'UNKNOWN'
- mentioning of Google in the 'From' field - Google does not distribute updates for Java
- 'This application will run with unrestricted access...' warning
The JAR file is signed with a fake 'Sun Java MicroSystems' certificate. Note the date stamp of the files and the certificate - '2010'. Facebook 'Love' button plague started in that year.
"Attention! Kids at play"
There is no obfuscation applied on the code. Variables and methods are named relatively meaningful. No use of 'Reflection' methods. Nothing is fancy about the code at all.
The first payload will be downloaded via URL from the landing page. It'll be stored in the user's 'home' folder with hardcoded filename 'NortonAV.exe'.
The URL for the second payload is constructed from predefined strings.
The second payload is stored in the same location as the first one. The filename for it is also hardcoded - 'java_JRE_6_4_5_4.exe'
There is a bunch of methods that are related to working with 'LinkedList' using a custom 'Node'. None of these methods are used though. Looks more like a leftover code.
Both domain names for the payloads do not resolve, so no samples captured.
- URL pattern is unique
- does not use any application exploits
- attempts to trick user into giving the application unrestricted access
- carries 2 payloads
- looks like a variant of Facebook 'Love' button malware