By Dancho Danchev
Security researchers from Webroot have intercepted a currently spamvertised malicious campaign, impersonating Hewlett Packard, and enticing end and corporate users into downloading and viewing a malicious .htm attachment.
Subject: Re: Scan from a Hewlett-Packard ScanJet [random number]
Message: Attached document was scanned and sent to you using a Hewlett-Packard NetJet 730918SL. SENT BY : ANISSA PAGES : 5 FILETYPE: .HTM [Internet Explorer File]
Original attachment: HP_Jet_26_P2184.zip
Malicious iFrame embedded within the .htm attachment: hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php
The malicious .htm has a very low detection rate, and is currently detected as JS/Kryptik.SA!tr and Mal/Iframe-AE.
Client-side exploits serving structure:
The client-side exploits serving domain superproomgh.ru is currenly fast-fluxed, namely it’s responding to multiple, dynamically changing IP addresses in an attempt by the cybercriminals behind the campaingn, to make it harder for vendors and researchers to take it down.
The campaign is attempting to exploit the “Libtiff integer overflow in Adobe Reader and Acrobat” vulnerability, also known as CVE-2010-0188 in an attempt to drop the following MD5 on the exploited hosts - MD5: 20de62566248864be3b0e413b332d731 currently detected as Win32:Sirefef-RV [Drp], Trojan.Generic.KDV.582649, HEUR:Trojan.Win32.Generic, or PWS-Zbot.gen.hv.
Webroot security researchers will continue monitoring this campaign to ensure that Webroot SecureAnywhere customers are protected from this threat.