English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Malicious ads through ICQ

Roel
Kaspersky Lab Expert
Posted January 25, 15:10  GMT
Tags: Instant Messengers
0.5
 

Over the last few days, we received numerous reports of computers infected with fake anti-virus (scareware). The name of this particular culprit is Antivirus 8.

The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.

I installed ICQ and noticed the following after letting it run for a couple of minutes to fetch ads:

This page is hosted on [snip]charlotterusse.eu.

Going by the added iframe, it looks like this store's ad server was hacked, right? Not quite. I did some digging around and found that none of these servers - other than charlotterusse.com - are actually related to this brand of clothing.

This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.

However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn't them who's responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.

This is another example of how trusted programs can be a used to attack computers. It goes to show that anti-malware protection is needed no matter what the circumstance.

We've sent a notification to yieldmanager, who is the ad distributor in this case. We've not heard back from them at the time of writing.


2 comments

Oldest first
Threaded view
 

Shital Mehta

2011 Jan 26, 20:38
0
 

Need more info

Hi Roel,

Good job in catching this. Needed some more details regarding this incident. Sent you a detailed email. Not sure whether email id I used is still active or not. What's the best way to reach you?

Shital@Yieldmanager

Reply    

Roel

2011 Jan 27, 17:30
0
 

Re: Need more info

Hi Shital,

My email address is first.last@kaspersky.com

Cheers,

Roel

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog