Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine. McAfee has recently encountered a compromised website which distributes malicious .jar file and Fake AV.
The compromised web page has an iFrame which reidirects the user to download a malicious .jar file.
The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.
On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is seriously infected by critical malware and suggests that the user clean the computer.
The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.
Upon executing the malicious file, it shows variety of fake security alerts and warnings. Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.
Finally, it attempts to convince the user to purchase the full version of fake product.
McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.