Blue Coat has identified a new malware trick just in time for Halloween. Unsuspecting victims are redirected to one of two malware sites after searching for Halloween related sites. These distribution sites are typically used for hosting of warez, pirated digital content, but have been switched to malware distribution in the past 12 hours.Here is how it works: a user searches for Halloween information, such as "Halloween costumes". The search results link to a page with the keywords Halloween costumes, but this page is not the treat the user was searching hoping for. The page, hosted through a hacked blog, redirects the user to a malware distribution site where the user is presented with a download for halloween-costumes-to-play-40064.exe.
The malware author is presenting the user with an .exe that includes the search terms in the name hoping the user will download and run it. Appended to the search term is the phrase "to-play" and a version number. Due to the term "to-play", Blue Coat believes the malware author's original intent was to target searches for Halloween music. Other malicious query results detected by Blue Coat include:
Regis-and-kelly-hallween-show-2009-to-play-40064 office-appropriate-halloween-costumes-to-play.40064.exe scary-halloween-signs-to-play.40064.exe halloween-games-printables-for-teens-to-play.40064.exe
It is important to note that these file names are always constructed based on the original search terms so they will change search by search and the malware author could change the appended text and version number.
Once downloaded, the application executes connections to other sites in order to download more malware allowing the malware author to continue with his intended plan. At this time little is known about the malware other than it is 102kb in size and its primary function is to download other malware.
To avoid falling prey, a few steps can be taken. First, if you are searching for music an .exe file is probably not the type of file you expect, so disregard and do not download it. Next, in this case, the phrase "to-play" is always added to the file name, avoid those downloads.
At the time of detection by Blue Coat, no anti-virus vendor identified the binary as malware. Sophos has since updated their signatures and identified this as a variant to the week old Mal/Krap.A.
Blue Coat suspects this is a sign of things to come as we enter the Christmas and New Year holidays. As people search for new toys, new year party ideas, and other related terms, they believe we will see more targeted threats and downloads named to trick the end user.
Make it a happy Halloween and do not be fooled by these tricksters. This warning is a Halloween treat from Blue Coat and InformationWeek.