By Crescencio Reyes – PC Tools Malware Research Team
Cybercriminals typically use major news outbreaks as their main lure for malware delivery. However, as we recently discovered, even a relatively small news story out of Milan, Italy can be effectively used by cybercriminals to spread malware. It lends credence to the idea that sex really does sell.
In this case, the “sexiness” of the story is related to schoolteacher, Ileana Tacconelli. The news media became interested in Tacconelli when angry parents withdrew their children from a prestigious Milan school because she was deemed too sexy. Cybercriminals are capitalizing on this story by poisoning the search engine results. Doing a search for her in Google shows some images in the results page, which lead to a fake Adobe Flash Update.
Clicking the link on the image search results redirects to another website. This website shows a fake warning that asks the user to install an update for Adobe Flash Player.
Clicking on the fake warning leads to downloading the file “v11_flash_AV.exe”.
Upon execution, the program will not display any window. It will just automatically delete the downloaded file and install the rootkit to the system.
After running GMER we can see that the rootkit has installed itself in the system’s Master Boot Record (MBR).
Clearly, poisoning search results continues to be a popular way to distribute malware. So the next time a site prompts you to update Adobe Flash player, be sure to check the URL and make sure it’s legitimate (http://get.adobe.com/flashplayer).