Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Maximus root kit downloads via MySpace social engineering trick.

Published: 2008-04-22
Last Updated: 2008-04-23 17:56:24 UTC
by donald smith (Version: 3)
0 comment(s)

A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.

“Clicking anywhere on the page (on large css layer on top) and your
browser initiates a download session from an ftp at
microsofpsupports.cn and you are asked to download and/or run (no!)
the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
http://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus

Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb

UPDATE

Thanks to Ned who pointed out that

"!Maximus" is the name of the  heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

0 comment(s)
Diary Archives