Spyware pushers cashing in on zero day exploit
Websense has an interesting write up on adware company Exfol. Yesterday I mentioned that the WMF exploit is being used in banner ads distributed by Exfol.
Currently the Exfol and Freecat.biz websites are distributing exploit files that are utilizing the WMF vulnerability, which allows the un-authorized running of applications. The files are Trojan Downloader's which download and run files from the freecat.biz website and are named: pawn001.exe through pawn009.exe. Upon viewing any of the MWF files the end-users machines downloads and runs one of the aforementioned files. The files themselves are designed to install several pieces of Potentially Unwanted Software. In several cases these report that your machine has been infected with Spyware and that you may have security problems on your machine. You are then prompted to purchase software from one of the affiliates in order to clean your machine. At this time the current prices we saw was $29 per quarter year.
Websense has a video of the exploit being used through an iframe, and bogus security warnings from rogue anti-spyware app Virtual Bouncer. Screenshots from Exfol Web Administrative Interface are posted showing the number of installs exploits. Virtual Bouncer got dis-honorable mention on the top ten rogue anti-spyware list. This is maddening:
During our investigations we also noticed that one of the websites was running an administrative interface which tracked how many people had downloaded and installed the applications (i.e. had been infected), and had several other pieces of pertinent information such as; how the files are distributed, how the affiliate ID's match with the exploit code, and who some of the affiliates are.
Seeing the video and screenshots of the stats makes my blood boil. I hope there's a special hotter place in hell for the folks behind this crap.
You can see the domain registration for freecat.biz here, but it looks to be a private registration service, meaning the real owner is not shown. The domain IP address 200.170.217.180 is in Brazil.