Malware Database

Websites with names that sound like they are legitimate auto places are spreading malicious PDF and SWF/Flash files. When visiting the site they will bring up an iframe with the malicious PDF and Flash files.

One interesting thing about these sites is that if the visiting machine doesn’t have a PDF or Flash web browser plugin than the malicious code isn’t dropped onto the system. While this isn’t a new technique I’m seeing it used more and more. In the past the files would be dropped onto the victim and attempted to run only to either fail silently or prompt the user asking how to handle the file.

The other thing is the malware kinda tips it hat because the iframe it brings up is visible, as opposed to typically hidden, but yet is too small for the PDF it’s displaying inside.  What’s the point of this?  Not sure why they didnt just bring up the iframe in full screen or least large enough to display more of the PDF and thus not raise any suspician.  Maybe future revs will improve this.  You reading this CQA/MQA department?  [Criminal/Malicious Quality Assurance]  ;)

Their SW department did it’s job (Stealth Ware) because the malicious files served up are currently not being detected well:

readme_1_.pdf
VT scan 4/40 detected as malicious PDF/Gen:
http://www.virustotal.com/analisis/39320af4f3fceb3eae2ed6d89e0c914a

flash_1_.swf
VT scan 4/38 detected as exploit SWF/Gen
http://www.virustotal.com/analisis/df84f0a440e97b3b1c7fd583a091be4c

Stay away from these sites – nothing but BADNESS exists there!

liteautorepair.cn
liteautofinestsite.cn
liteautogreatest.cn
litehitscar.cn
hyperliteautoservices.cn

–mwdisector