Over the weekend our colleagues at ESET Latin America found that Slideshare was being used to spread malware. As they haven't found much information on the web about this, Sebastián Bortnik blogged today about what they found. (Errors in translation and interpretation should be attributed to David Harley!) I've added some thoughts and some content based on discussions I've had subsequently with Pierre-Marc.
When monitoring known sources of rogue antimalware, it's common to find sites used for the active spread of malware. ESET Latin America have already reported in their blog a number of highly effective attacks, directed at the many users looking for free security products.
This weekend, they found a new platform used to spread malware: Slideshare.net. This website is very widely used for sharing presentations, but now it is being exploited by attackers, creating fake slide decks and using social engineering techniques to pass them off as having themes that will appeal to potential victims.
A case in point is a file they found to be passed off as a cracked download of ESET's NOD32 scanner. The presentation includes a slide that has a single link, and adds in the SourceForge.Net logo to give more credibility to the download. (Though you may wonder, as I did, since when has SourceForge been distributing cracked commercial software?!?)
If the user clicks on the link, he or she will be directed to a website that looks like SourceForge.Net, but is actually a spoofed site set up for malicious purposes. Subsequently, the window opens a file for download which has an .EXE extension.
In the case investigated by ESET Latin America, if the user downloads the file, it does not, of course, install any antivirus software. On the contrary, his system gets infected with a malware variant detected proactively by ESET NOD32 heuristics as Win32/Kryptik.YT. However, Pierre-Marc tells me that he's subsequently been seeing files with a different filename downloaded from a URL suggesting a Chinese origin. This file is detected as Win32/TrojanDownloader.FakeAlert.ADB, which is used to download fake anti-virus software, and a sample submitted to VirusTotal indicated good antivirus detection (31/41). The problem, however, is that these attacks are not aimed at people who already have competent anti-malware, but at people who are looking for a (preferably free) solution, even if it's pirated.
More than ever, you need to be careful in carrying out downloads from the Internet, as any platform may suddenly be found to be used or misused to propagate malicious code. Particularly in a case like this: it only makes sense to download security applications from their official websites: after all, if a site is prepared to offer pirated software, why would you assume that it has honest and benevolent intentions towards people who take up that offer? In fact, attackers are constantly seeking new platforms by which to propagate their threats, and they are not slow to seize the opportunity to misuse any new means of propagating malware. In fact, malware that passes itself off as antivirus is almost as old as antivirus.
The situation may be exacerbated by the fact that Powerpoint is generally regarded as a "safe" format, even though it can be misused in a number of ways to carry malicious code (macros, embedded files and so on). In this case, however, it's not just a question of whether the file is innocent: it's also a matter of realizing that an uninfected document may carry a link to a dangerous site.
Sebastián Bortnik, Pierre-Marc Bureau, David Harley