« PayPal Phish With HTML Attachment | Main | An Email From Hillary Clinton »

November 15, 2009

As if on cue, one Bad Guy seems to be using very recent news of an unpatched Adobe Flash security flaw to help spread a backdoor Trojan. The campaign begins with a simple email message:

From: flashplayer@adobe.com
Subject: We've created a new version of the famous video Adobe Flash player !!

Hello
A new version of the Flash player for better quality is now available
for download click here

If you bother to inspect the URL in the real message (the one above is blank, and shows the URL of the page you're now reading), it might look sufficiently legitimate to some: http://adobe.us.to/adobe.html.

And if you then click on the link, you get one darned-good imitation of an Adobe web page:

How good is the imitation? Well, here's the real Flash Player download page:

The primary discrepancy, of course, is that the fake page insists on presenting a screen suggesting I'm using Internet Explorer for Windows, even though I accessed the page with Safari on a Mac. The real Adobe Flash Player download page recognized my operating system, and presented the appropriate download. Obviously, someone reaching the phony page on a Windows machine wouldn't see anything wrong.

Unlike the real Adobe page, the Bad Guy's page downloads a file called Flashplayer.exe, which is actually a backdoor Trojan of the Zapchast family. This particular instance is a fairly old one, and most antivirus products identify it for what it is (78% coverage at VirusTotal).

Ultimately, the joke is on the poor user who installs this Trojan. While he or she might believe he or she is heading off potential infection through Flash, in truth, he or she has just granted the Bad Guy an All Access Pass to the entire PC system and data, without ever going near Flash.