We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A.

The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:

preflayer

Obviously, it’s disguised as an Adobe Flash Player 11 installer.

The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see all the conditions of installation. However, you can highlight the entire text using your mouse so you can see, right at the end, there’s a message describing a key condition:

* YOUR BROWSER HOMEPAGE WILL CHANGE WITH
<URL>
IF YOU ACCEPT THIS, PLEASE CONTINUE.

Note: <URL> is the page that this trojan sets your start page to.

Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change their browser’s start page.

When hitting the button, this fake Flash Player installer downloads and executes a legitimate flash installer as FlashPlayer11.exe from the following url:
hxxp://aihdownload.adobe.com/bin/install_flashplayer11x32ax_mssd_aih.exe

It then changes the user’s browser start page. It changes the start page for the following browsers:

  • FireFox
  • Chrome
  • Internet Explorer
  • Yandex

to one of the following pages:

  • hxxp://www.anasayfada.net
  • hxxp://www.heydex.com

These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.

A bit of research indicates that these sites were created fairly recently:

————————————————————————

Domain information – from domaintools.com:

hxxp://www.anasayfada.net
Created: 2013-02-15
Ip address: 109.235.251.146
IP location: Manisa – Manisa – Dgn Teknoloji Bilisim Yayincilik Sanayi Ve Limited Sirketi

The file 1ac150ddb964722b6b7c96808763b3e4d0472daf is reported downloaded from: hxxps://flash-player-download.com/FlashPlayer.exe
domain: flash-player-download.com
Created: 2013-03-04
Ip address: 31.3.228.202
IP location: England – Gosport – Redstation Limited

The file 7b50ac5bbd21b945df128c2606402ef68533dc30 is reported downloaded from: hxxp://www.yonlen.net/flash_player.exe
domain: yonlen.net
Created: 2012-10-29
Ip address: 37.220.28.122
Ip location: England – Gosport – Redstation Limited

hxxp://www.heydex.com
Created: 2013-01-22
Ip address: 188.132.235.218
IP location: Istanbul – Istanbul – Hosting Internet Hizmetleri Ltd Sti

————————————————————————

Aside from the misleading GUI, the File Properties are also disguised as if the file was from Adobe:

File Version: 2.1.0.0
Description: Adobe Flash Downloader
Copyright: 2012 Ironion

Comments: Flash Downloader Acceletor
Company: Adobe Inc
File Version: 2.01
Internal Name: flash
Language English (United States)
Legal Trademarks: 2012 Ironion
Original Filename: flash.exe
Product Name: Flash Downloader
Product Version: 2.01

It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA (why do they bother?), misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week.

Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.

Joseph Forbes (691)

Information Technology Consultant. For SMB, SOHO, and Online business. From Computers to Telecommunications this guy has been into it since hippies made it hip. Drone Pilot and Tech Aficionado I get to travel the State of Texas to help businesses succeed.