Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Fake Flash Player On DropBox

image
JULIEN SOBRIER
May 03, 2013 - 1 min read
Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates:
 
  • hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/
 
Image
http://kivancoldu.com on 05/02/2013
  • hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/
  • hxxp://kivanctatlitug.tk/ d(down)
Image
hxxp://kivanctatlitug.tk/
The fake warning at the top of the page alternates between English and Turkish.

What is interesting is that the malicious executables are actually hosted in a DropBox account and have not been taken down since they were found about seven days ago. I have spotted two different executables so far: These two files have similar behavior. They disable all Windows features: UAC, Firewall, AV, Safe Boot, etc. The malware then drops variants of the Sality virus, some of which have a good detection rate amongst AV vendors.

Interestingly, there is a link on the malicious websites that shows how many people visited it. There were 1,412 unique visitors in a single day.
 
Image
There is another peak of traffic report and on 05/02 registered 1,700 visitors...and counting.
Image

These sites keep popping up and the are still able to fool users.
form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.