Presentation sharing website hit by hackers to distribute rogue anti-virus

News by Dan Raywood

The website is being used to distribute malware after being exploited by hackers.

The website is being used to distribute malware after being exploited by hackers.

According to a blog by ESET threat researchers Sebastián Bortnik, Pierre-Marc Bureau and David Harley, the Latin America office has detected that the site is being used to create fake slide decks. is used to share presentations, and hackers are using social engineering techniques to pass them off as having themes that will appeal to potential victims. ESET claimed that it had detected a file passed off as a cracked download of ESET's NOD32 scanner.

The presentation includes a slide that has a single link, and adds in the SourceForge.Net logo to give more credibility to the download.
Harley said: “If the user clicks on the link, he or she will be directed to a website that looks like SourceForge.Net, but is actually a spoofed site set up for malicious purposes. Subsequently, the window opens a file for download which has an .EXE extension.”

If the user downloads the file, it does not install any anti-virus software, instead the user gets infected with a malware variant detected proactively by ESET NOD32 heuristics as Win32/Kryptik.YT.

Harley said: “However, Pierre-Marc tells me that he's subsequently been seeing files with a different filename downloaded from a URL suggesting a Chinese origin. This file is detected as Win32/TrojanDownloader.FakeAlert.ADB, which is used to download fake anti-virus software, and a sample submitted to VirusTotal indicated good anti-virus detection (31/41).

“The problem, however, is that these attacks are not aimed at people who already have competent anti-malware, but at people who are looking for a (preferably free) solution, even if it's pirated.”

ESET recommended care in carrying out downloads from the internet, as any platform may suddenly be found to be used or misused to propagate malicious code.

“Attackers are constantly seeking new platforms by which to propagate their threats, and they are not slow to seize the opportunity to misuse any new means of propagating malware. In fact, malware that passes itself off as anti-virus is almost as old as anti-virus,” said Harley.

“The situation may be exacerbated by the fact that PowerPoint is generally regarded as a ‘safe' format, even though it can be misused in a number of ways to carry malicious code (macros, embedded files and so on). In this case, however, it's not just a question of whether the file is innocent: it's also a matter of realising that an uninfected document may carry a link to a dangerous site.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews