Security Insights

Fake Flash Player On DropBox

Fake Flash Player On DropBox
Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates:
 
  • hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/
 
http://kivancoldu.com on 05/02/2013
  • hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/
  • hxxp://kivanctatlitug.tk/ d(down)
hxxp://kivanctatlitug.tk/
The fake warning at the top of the page alternates between English and Turkish.

What is interesting is that the malicious executables are actually hosted in a DropBox account and have not been taken down since they were found about seven days ago. I have spotted two different executables so far: These two files have similar behavior. They disable all Windows features: UAC, Firewall, AV, Safe Boot, etc. The malware then drops variants of the Sality virus, some of which have a good detection rate amongst AV vendors.

Interestingly, there is a link on the malicious websites that shows how many people visited it. There were 1,412 unique visitors in a single day.
 
There is another peak of traffic report and on 05/02 registered 1,700 visitors...and counting.

These sites keep popping up and the are still able to fool users.

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.