“Hi, and welcome to my online pictures portfolio. Please enjoy your stay.”
Those are the words that leap from your speakers (along with some tinkly relaxing music) as you open up what appears to be a rather nice looking online art gallery – a gallery pack that has been traded on hacking forums over the last couple of weeks as a “great way to infect people”. While I’m not entirely sure if the people distributing it have gone to all the trouble of creating it from scratch, there’s definitely a scam in the offing.
I’m not exaggerating how nice it is, either – this Flash gallery allows you to slide the images on a track at the bottom, and they’re also divided up into numerous galleries. Classical paintings, fantasy landscapes and pictures of blue floaty lights all lie in wait to stimulate your mind. There’s also this guy:
Unfortunately, Clint doesn’t look too happy and that’s never a good sign. The wheeze here is that to view additional imagery, you’ll need to say “Yes” to this Java prompt:
You’d think people would avoid dubious Java prompts, but oh well. It’s worth noting that because the gallery files are being used by lots of random people, there is no way to know what kind of infection is lurking when the java prompt appears – it could be absolutely anything at all. However, below is what happened when we visited one of the live sites.
Should the victim hit the Run button, they’ll end up with a file called Winconfig.vbs in their Temp folder. This is what you’ll see if you examine the code:
“Update.exe” arrives on the system to little fanfare, again in the Temp folder and carries all the characteristics of a password stealing Trojan.
Currently there are 19/41 detections listed in VirusTotal.com (although it’s called svchost.exe on there), and we detect this as Trojan.Win32.Generic.pak!cobra.
I’m a big fan of art myself, but I’m not so sure I’d want my computer to be turned into a performance piece…
Christopher Boyd