Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malwarebiter Fake AV mimmicing Malwarebytes

  • Please log in to reply
No replies to this topic

#1 herg62123


  • Members
  • 553 posts
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:28 AM

Posted 04 February 2013 - 02:22 AM


A few days ago Malwarebytes Intelligence Analyst Adam Kujawa released a Cyber-Threat Advisory on a fairly new anti-malware product on the web called “Malwarebiter”. This product grabbed our attention because of its similar name to Malwarebytes.

Various reports on the web suggest this advertised anti-malware product has been around since at least May 2012, while its Facebook page appears to have been created just last month. Facebook users will notice the software claims to have received an award for being the “World’s Best Anti-Malware Software”.

Traffic analysis from our visit revealed “roe.js”, a file containing javascript. Upon further inspection the file revealed an embedded iFrame object that links to a rogue IP hosting the Blackhole Exploit Kit, a somewhat funny outcome to visiting a supposed anti-malware site.

In case our readers aren’t familiar with iFrames, these allow web developers to embed the contents of one webpage within another. Using iFrames for drive-by malware attacks is common since they can be crafted invisible to the naked eye. Malicous iFrames often redirect users to malware URLS unbeknownst to them, as seen frequently in Blackhole, Crimepack, and other exploit kits.

The “roe.js” file seen in the image executes either a java or PDF exploit, which downloads a malicious payload to the visitor’s PC. The java exploit has been identified as CVE-2013-0422, posted recently as a CTA in our Unpacked blog, and the PDF exploit was identified as the notorious libtiff integer overflow as seen in CVE-2010-0188. In addition, a malicious file is served to visitors after the exploit; this was identified by our intel team as the infamous Zeus botnet after observing packets from the malware making requests for “gate.php”.

Edited by herg62123, 04 February 2013 - 02:25 AM.

Posted Image

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users