Search for MSE leads to Rogue AV

StevieO · Sep 30, 2009

This seems like a new spin on how they infiltrate a PC.

Yes it requires clicking, but by people actually seeking out MSE, not the usual, i wasn't looking for it method.

To me it looks like a sort of WMF type exploit, in that it uses a TIF file to help gain control

Websense Security Labs ThreatSeeker Network has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc)
If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split).
The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site, to check internet connectivity.
Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).

http://securitylabs.websense.com/content/Alerts/3485.aspx
Click to expand...

midway40 · Sep 30, 2009

MSE detects this rogue (though it is moot since you wouldn't had it installed or why would you be looking for it to begin with? lol)

Log in or Sign up

Search for MSE leads to Rogue AV

StevieO Registered Member

midway40 Registered Member

Attached Files:

securityrogue.JPG

Log in or Sign up

Search for MSE leads to Rogue AV

StevieO Registered Member

midway40 Registered Member

Attached Files:

securityrogue.JPG

Useful Searches