Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Maximus root kit downloads via MySpace social engineering trick.

Published: 2008-04-22
Last Updated: 2008-04-23 17:56:24 UTC
by donald smith (Version: 3)
0 comment(s)

A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.

“Clicking anywhere on the page (on large css layer on top) and your
browser initiates a download session from an ftp at and you are asked to download and/or run (no!)
the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image. “
This appears to be a new version of Maximus

Virustotal results here:


Thanks to Ned who pointed out that

"!Maximus" is the name of the  heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

0 comment(s)
Diary Archives