Trojan masquerades as IE 7 downloads

Trojan masquerades as IE 7 downloads

Summary: Spammers are using fake Internet Explorer 7 (Beta 2) downloads to lure Windows users into downloading a nasty backdoor Trojan.The fake downloads are part of a massive spam run that includes an official-looking graphic (see image below) linked to Web sites that auto-launch an executable named "ie7.

SHARE:
19

Spammers are using fake Internet Explorer 7 (Beta 2) downloads to lure Windows users into downloading a nasty backdoor Trojan.

The fake downloads are part of a massive spam run that includes an official-looking graphic (see image below) linked to Web sites that auto-launch an executable named "ie7.exe."

A copy of this spam that landed in my GMail inbox arrived from "admin@microsoft.com" with the subject line "Internet Explorer 7 Downloads."  Anti-virus vendors tracking the threat say the sender address and download locations are constantly changing as this spam run picks up steam.

As fast as these domains appear, get spammed, and get killed, they re-appear. If you run a network stream, you can easily look for “/IE7.0.exe” with a tool like ngrep or flowgrep and look at the download sites. This one is aggressive and is going to get a lot of play. AV detection was poor earlier in the day, and it’s not much better. Names like Agent.CL and Grum are being used, but even 12 hours later the detection for it is pretty weak. It’s got an unrecognized packer and some methods that seem uncommon.

 Fake IE 7 download graphic

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Re: Trojan masquerades as IE 7 downloads

    Wasn't this always the case?

    [url=http://www.opera.com]http://www.opera.com[/url]
    Scrat
    • Disingenuous?

      If Opera had more market share (no, not a slam), and they were targetting Opera users with opera9.2.exe with an official looking graphic and spoofed ids to make it look like official Opera, how would that be different?

      Question. Does Opera auto-update (like FireFox now does), making upgrades more secure in that it is the program doing to update, not a manual user procedure? (No, lol, this is an actual question, for my information, I haven't used Opera in a while). If so, then that is a valid point to post, Opera is self upgrading, so trying to spoof a manual upgrade is harder kind of thing.

      TripleII
      TripleII-21189418044173169409978279405827
      • Disingenuous is the wrong word, flippant would be more accurate...

        [i]"Question. Does Opera auto-update (like FireFox now does), making upgrades more secure in that it is the program doing to update, not a manual user procedure?"[/i]

        No, Opera does not self-update. This however does NOT make it any less secure than an auto-upgrade, quite the opposite in fact. You rely that Firefox is getting its updates from an authorised source, whereas with Opera you physically have to go to the Opera website to download the new version, PLUS what happened to the anti-phishing feature of IE7? Opera's fraud protection (whilst not perfect), along with the fact that any new tab with no address bar is headed with the website's REAL location, not what javascript puts in the address bar / status bar, would suggest that this simply wouldn't work in Opera.

        The facts speak for themselves. Go look at the plethora of Firefox vulns that are building up (granted, the latest version may be patched). Opera simply doesn't get that many vulnerabilities. You may cite market share for the security / obscurity point, but I would suggest that it is more down to the stringent coding and testing procedures that Opera ASA use.

        I would not suggest anyone use Opera before getting the facts, but I personally feel Opera is the most secure option on the table at the moment.

        As always, YMMV
        Scrat
        • I was just looking for an example

          But that's the point, no browser is secure. If I as an Opera user don't know that the only way to upgrade is to go to the Opera site, and I accept an exe, I am hosed.

          It wasn't even an Opera vs FireFox vs IE comment. I didn't know if Opera autoupdated as a reason why the phishing attack would be less successful.

          I put it that whatever browser, if you fall for the social trick, you will install the trojan.

          TripleII
          TripleII-21189418044173169409978279405827
  • I'd be scared

    if I didn't get my software from known valid repositories.
    Hrothgar - PCLinuxOS User
    • That's the problem!

      You hit the problem on the head with that "Valid Repository" statement. I ONLY download programs from the manufacturers site or Download.com, period.

      Those are the only websites that I trust, and those are the only websites that other people should trust as well.
      Leria
  • Translation : "The Endless Series Of Microsoft Exploits Continues Unabated"

    ... just as we always knew it would
    whisperycat
    • No, gotta rebutt this one

      No operating system, Linux, OS-X, Solaris, Windows or even that old C-64 can prevent a social attack where a user is tricked into downloading and installing malicious software. It is harder to trick *nix users because we get our software and updates through the package manager and secured (official) repositories. (Many load from unnofficial repostitories, but I digress).

      If i trick a Linux user into downloading Gaim Beta 6.9 that actually installs a rootkit, it is not conceptually any different.

      TripleII
      TripleII-21189418044173169409978279405827
      • I have to agree

        Social engineering has as much to do with the success of many of these attacks as much as OS security holes do. Educating the user population as much as possible is the first step.

        Just last night my father called me from Texas where he is on a business trip. He was somewhat "concerned" because he had gotten an email claiming to be about his PayPal account. Now obviously this was a phishing email as he doesn't even have a PayPal account. He's a highly-educated man (Ph.D. in Organic Chemistry) and is fairly computer-savvy. He knows enough to ignore the similar emails that he receives by the dozen each day that claim to be from various banks but for some reason, this PayPal one kind of threw him for a loop.

        The same thing could be said for this latest exploit. People who might know better than to open an attachment that's an EXE might feel more comfortable going to a site and downloading a new version of IE7 (or having it download automatically). And the super-professional-looking graphics don't help either. Most of us know that any schmuck with Photoshop could create that image with a little work, but people like my dad might get duped easily enough...
        StephG72
        • Play with fire

          If you're dumb enough to install a program beta, you pretty much deserve what you get (drivers and firmware being the exceptions). When you play with fire, you may get burned.

          But yeah, another mindless Molotov cocktail launched by some anonymous POS saboteur. Net arsonists hopefully will get their just due in the end. I could only hope one of their "gifts to the world" will blow up in their face one fine day. When you play with fire the way they do, you really do deserve to get burned.
          klumper
    • Yes, but that isn't NEWS . . .

      . . .so it wouldn't be the HEADLINE
      critic-at-arms
  • Exploits are exploits

    no matter how you get it done. If you can fool someone into opening a pic of Brit Spears flashing the world, or uploading a new version of their fav browser, then you have used the oldest method of subterfuge, and there is nothing that any software product can do to prevent the person of sabotaging their own system.

    Phishing is in the same vein and works for the same reasons ... curiosity or naivete. Either case, the work is done when you click the link ? you are hooked.
    jc williams
    • Mostly true, but some facts omitted...

      I do agree with you when you say that if you can fool someone into clicking a picture or opening an email, then yes it is their fault. In this situation your explanantions are completely true.

      As far as the phishing goes though, attackers are getting smarter at what they do and in a sense eliminating human error. Some phishing attacks can happen locally, a attacker can run a MITM attack on a network and all of a sudden he doesn't have to rely on people to click his links, he can just redirect their traffic. Scary thoughts and makes you think twice before just plugging in your wireless card in the local cafe or on campus.

      Again though, back to your original statement, a lot of this is human error and its up to the people in the "know" to help do what they can to stop it. Just because I may not know something, doesn't mean I should be ignorant to it. If everyone had that type of mentality, IT would be a lot less stressed.
      Brandon Dixon
  • Idiots shouldn't use Beta code anyhow

    Having been a beta tester on a number of products over the years, I can say without fear of error that the kind of person who would be trapped by this latest scheme is last person who should be downloading ANY beta (much less MS beta)!
    critic-at-arms
  • MS has a HUGE opportunity here

    Since the Gubbermint isn't interested in dealing with this issue, it's up to private effort.

    I can't think of anyone with more ability to take the fight to the enemy than MS -- and nobody more to LOSE if they don't try.

    This time, the scum have stepped over a line they hadn't crossed before. By claiming to be official MS code and displaying the MS logo, they've opened the door to copyright infringement lawsuit.

    No, MS wouldn't win such a suit, if up against quality legal opposition, but the scum simply don't have the resources to do battle with MS' lawyers. A highly-publicized civil court fight, even one which MS doesn't win, would still result in the destruction of the lives of the scum who started this, and would send a message to the rest of the malware industry.

    They can also drag in just about every suspected member of that industry, simply by seeing who has downloaded the exploit code.
    critic-at-arms
  • Happy April's Fools Day !!

    For anyone believeing that [b]Microsoft Vista[/b] could possibly have any flaws is outragous! They spent millions of dollars and several years working on this system.

    Bill Gates even said that [b]Vista[/b] is the most secure Operating System.

    I have to thank ZDNet for posting a wonderful and slightful pausable April Fools Day exploit warning. You guys almost had us.

    Thanks for the Laughs !

    Robert Chambers
    Organizer
    Plainfield Linux Users Group.
    PinnacomX
  • IE7 beta

    How do I know that my downloaded IE7 beta is Trojan hijacked. I downloaded it within the last 2 months
    barbara_z
  • RUA Knucklehead?

    Are you a knucklehead, by birth or through experience?

    Will Microsoft actually email you to tell you that a beta version of something is available?

    Would you actually click the link in the email without inspecting the destination first?

    Would you even, and foolishly, click the link, instead of going directly to Microsoft's home page in a new window and look for what would be OBVIOUS links within their site to something like that?

    Would you even WANT to test a beta version of IE and be subjected to its plethora of flaws?

    Soap Box: After all, Microsoft programmers seem incapable of reading a file byte by byte and validating that it is properly formatted, let alone to stop reading said file when it should have ended (and Oh Geez! The crap I used to get in my C code for content-validating ALL freads()! hahaha... suckers... and who is paying for lame coding now???? I digress... end of Soap Box)

    If you answer YES to ANY of the above, consider yourself a stoopid knucklehead and knuckle-dragging loser still locked in the 20th century and destined to be abused!

    Nothing is 100% secure (and as a good friend and a brilliant though comment-less C programmer friend would say, "practice safe hex") but some people are idiots and nothing will save them.
    willm3
  • The Huge IE7 Banner Ad Trojan!

    Ironically, this story relating to an IE7 trojan download included a large square banner advert right in the middle of the story to [b]Download IE7[/b]. Must be the powers of Google at work again --- or not.
    Hmm. Should I trust it or not? After all, it would be trivial to simply use such a convincing picture only to have it download the trojan IE7.exe as the link. ;-)
    (Just kidding, but the irony made me chuckle.)
    ZStoner