Monday, March 22, 2010

Google Talk used to distribute Fake AV

Maria Varmazis, a colleague from our Boston office, got to experience what happens when a friend's account is compromised. When she logged onto Gmail, she got a pop-up message from someone she regularly chats with: "Hey are you on Facebook ??? If u are then check this out ". Wisely, Maria didn't click on the link and instead passed it on to me to investigate.

The link led me to a web page that had some dancing stick people and a link that read, "Click on the picture to download my party pictures gallery. . . (Click Open or Run when prompted.)".

Of course I wanted to view this party picture gallery. . . Past experience tells me the best pictures are taken after 11pm at parties. When I clicked the image, Internet Explorer presented a download prompt for a file called my_image_gallery.scr

This attack once again shows us the importance of defense in depth. An administrator for an organizational network has several chances to prevent this infection:

1.Education. Teach end users how to spot something out of the ordinary, to avoid clicking links in IMs, and what techniques are used in social engineering.

2.Anti-virus. As Virus Bulletin regularly demonstrates, the majority of up-to-date anti-virus products protect against most in-the-wild threats.

3.Proactive protection. Using heuristic, behavioral and other techniques provides protection against malicious code that may not yet be detected by your anti-virus definitions.

4.Web filtering. Both the site offering malware for me to download, and the one that was luring me into clicking the picture were blocked by the Sophos Web Appliance as malicious. Our web appliance also scans all your downloads for malware, and lets you disable downloading of dangerous filetypes.

Unfortunately, quite often our friends may not really be our friends. Use this as a reminder to stay vigilant and warn others about this type of attack.

No comments:

Post a Comment