Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Fake Adobe Shockwave Player download page SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake Adobe Shockwave Player download page

Jason Frisvold wrote to us about a suspicious web page. One of his users visited the web page he submitted and subsequently got infected with a Trojan horse.

When we get reports of web pages like this one, I typically first download the web page with wget (faking the User Agent field, of course, so the target site thinks I’m using Internet Explorer). In almost 100% of cases the bad guys lately just insert hidden iframe links which point to web sites hosting various exploits.

However, the web site submitted by Jason didn’t have any such elements and I actually forgot about it until we heard again from Jason who managed to find out what happened here.

Shortly, it’s pure social engineering – the user is actually encouraged to install the malware himself. How does this work you might think?

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center, as you can see below:

Fake Shockwave Download Center

All the links on this web page lead to Adobe’s web site except for one (I’m pretty sure you can guess which one).

Besides creating a really nice replica of Adobe’s web site, the bad guys also added this little JavaScript to it:

var message="";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)

document.oncontextmenu=new Function("return false")

This JavaScript disables right click so you can’t use this context menu for any actions.

The downloaded malware contains a full installer that, when tested on VirusTotal, had very low detection.

Technically this attack wasn’t even worth the diary, however, the appearance could probably fool a lot of users. Although it’s extremely easy to see the fake web site (the URL was visible in the Address bar), the question is how many users would really do this. Would SSL help here? Yes, but again only if users pay attention and in this case they would first have to be trained to check for it when downloading files, and that’s another story.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Baltimore Fall: Virtual Edition 2021


400 Posts
ISC Handler
Jun 22nd 2007

Sign Up for Free or Log In to start participating in the conversation!