MySpace Transparent GIF Ruse Used to Spread Trojan
On October 3, ScanSafe Malware Scanning service began blocking Trojan-Downloader.Win32.VB.bjr on a MySpace page. That page had been superimposed by a 990x990 .GIF image which had a substantial transparent area surrounding an image of a bogus “Automatic Updates” alert dialog. This superimposed image is anchored to an HREF tag pointing to the downloader Trojan. Clicking anywhere on the viewable screen would invoke the link and cause the Trojan to download onto the system. Depending on security settings in some browsers, the resulting executable could open automatically – though most modern browsers would prompt to either open or save the file.
Superimposed transparent .GIF images are not a new trick; the ruse has appeared on MySpace in the past, as well as on the eBay auction site. To manually detect the presence of a hyperlinked transparent .GIF, pay close attention to the mouse cursor when visiting a web page. Typically there are three modes:
 |
Signifies the cursor is over whitespace or hovering over a non-clickable image. |
 |
Signifies the cursor is over selectable text. |
 |
Signifies the cursor is over a linked (clickable) area. |
In the case of a transparent GIF overlay, no matter where you move your mouse on the page, the cursor indicates it is a linked (clickable) area.
Technical Details
The malicious MySpace page used standard HTML IMG and HREF tags to render this affect; no vulnerabilities were involved. Users visiting the page would likely choose to either accept or cancel the bogus Automatic Update. Regardless of which they clicked (or where) the file would be downloaded. In most cases, the user would then be prompted to either save or run the file.
| Filename: | updateKB890830.exe |
| MD5: | A52A4932021FBAE565EBF4155ADC102F |
| Size: | 28,164 bytes |
| Packer: | PE_Patch/UPX |
When run, updateKB890830.exe drops the following files:
\Device\RasAcd
C:\WINDOWS\system32\nusrmgr.exe
The Trojan then runs nusrmgr.exe, after which it attempts to download the file ‘setup.exe’ from a remote website.
| Filename: | setup.exe |
| MD5: | EB318ACE3DB75709DE456E6A0314E5BE |
| Size: | 134,660 bytes |
| Packer: | PE_Patch/UPX |
The Trojan runs the downloaded setup.exe which installs a rogue spyware scanner that erroneously claims to detect (other) infections. The rogue scanner then tries to convince the victim to purchase a removal tool for the erroneously detected ‘malware’. The original infector – the downloader Trojan and the rogue spyware scanner remain intact on the system.
Prevention
ScanSafe Malware Scanning service detects and prevents exposure to this threat.
Threat Center
Security Status
Geographical Distribution of Malware
Anatomy of an Attack
