Sophos

Sophos blogs

Threat Spotlight for the week ending November 20, 2009

Read last week's Threat Spotlight

Unwanted application changes search engine settings
Potentially unwanted application: SearchSettings

Virus Spyware
Who is at risk?: Windows users
How to get rid of it: If you've received an alert for a blocked PUA or adware and decide that the application is not suitable for your workplace, then follow the instructions for removing PUAs.

About this threat:

SearchSettings is a potentially unwanted application (PUA) that redirects browser traffic. This includes changing the default search engine, address bar search and default error pages. SearchSettings may monitor these settings to protect them from being reset.

SearchSettings may be installed by third party toolbars, including Widgi Toolbar and Dealio.

SearchSettings usually installs files in the folder <Program Files>\Search Settings. It often then creates files such as these:

<Program Files>\Search Settings\SearchSettings.exe
<Program Files>\Search Settings\kb128\SearchSettings.dll
<Program Files>\Search Settings\kb128\SearchSettingsRes409.dll

The PUA sets this registry entry to start SearchSettings automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SearchSettings
<Program Files>\Search Settings\SearchSettings.exe

It also sets registry entries in these locations:

HKCU\Software\Search Settings
HKLM\SOFTWARE\Search Settings
HKCR\SearchSettings.BHO
HKCR\SearchSettings.BHO.1
HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}
HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}

Trojan hides malicious code in fake PDF file
Trojan: Troj/PDFJs-EF

Virus Spyware
Also known as:
  • Kaspersky: Exploit.Win32.Pidief.crv
Who is at risk?: Windows users with unpatched versions of Adobe Reader or Acrobat
How to get rid of it: If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.

About this threat:

Troj/PDFJs-EF is a Trojan for the Windows platform that manifests itself as a compromised PDF document. This PDF file contains a malicious script hidden within the Trailer tag. The file also contains an additional layer of encryption to hide the malicious code from plain view. When executed, the script may attempt to initiate a download from a remote website.

Troj/PDFJs-EF usually arrives as a result of a PHP query from a compromised website or a malicious website.

SophosLabs analysts have noticed a marked increase this week of the use of this form of attack to target unsuspecting web users and strongly urged web users to update their Adobe Reader and Adobe Acrobat software.

Redirect script exploits weak FTP credentials to hijack websites
Trojan: Troj/JSRedir-AE

Virus Spyware
Who is at risk?: Windows users
How to get rid of it: Please follow the instructions for removing Trojans.
For more information: Gumblar revisited

About this threat:

Troj/JSRedir-AE is a variant of the JSRedir family that attacks unsuspecting users of compromised websites. Criminals place Troj/JSRedir-AE onto a website using stolen upload credentials—usually FTP logins. The attack has two parts.

First, attackers upload a set of scripts to the compromised site. These scripts are written in PHP—detected as Troj/PHPMod-B—and are used to insert the additional scripting into web pages hosted on the server. They can also be used by attackers to remotely manage the infection, without further need for stolen FTP credentials.

Second, the scripts inserted into web pages—detected as Troj/JSRedir-AE—redirect visiting web browsers to other sites that host malicious content.

Troj/JSRedir has been used similarly in the past, notably during the Gumblar attack in May 2009.

SophosLabs recommend using a more secure protocol than FTP when uploading content to your web server, such as secure copy (SCP) or secure FTP (SFTP) with strong passwords.

Threat Spotlight archive:

For the week of: November 13, 2009

For the week of: November 6, 2009

For the week of: October 30, 2009

For the week of: October 23, 2009

For the week of: October 8, 2009

For the week of: October 2, 2009

For the week of: September 21, 2009

For the week of: September 18, 2009

For the week of: September 7, 2009