Parking Violation Notices Lead to Malware

Using a combination of social engineering and malicious software, an innovative new way to get people to install malware on their computers has recently popped up, and it all starts with finding a flier on your car's windshield stating that your car is illegally parked. The fliers are fake, but they prey on people's fears by stating, "PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to website-redacted." These fake fliers started appearing on windshields in the Grand Forks, North Dakota area a few days ago.

 Credit: SANS Institute
It is not clear how many vehicles had been targeted or how many people wound up visiting the website listed on the flier. If a victim of the scam did visit the website, he would see photographs of cars parked in various places around Grand Forks. The user was instructed to install a toolbar so that he could search the site for a picture of his vehicle. The application, PictureSearchToolbar.exe, is actually a Trojan, which McAfee identifies as Vundo.dldr!1231E9AC. The Trojan installs a system DLL that gets "installed as an Internet Explorer Browser Helper Object (BHO)." When Internet Explorer is open, the DLL attempts to connect to "a domain with a bad reputation," according to the SANS Institute. Curiously, Symantec identifies the site as malicious, while McAfee does not. If this connection is successful, a warning pops up that states that the computer is infected with malware, and directs the user to a site to download and "install a fake anti-virus scanner." This fake scanner is actually a type of malware known as a dropper. As to what happens next, the SANS Institute's investigation ended there, but we can guess that users' systems that get infected with this malware are open to potential data and identity theft.

  Credit: SANS Institute

McAfee notes that since the Vundo.dldr!1231E9AC Trojan is "injected into common running processes like iexplore.exe [Internet Explorer], software based firewalls might not alert about outgoing connections made by the malware"--meaning that a software firewall alone might not prevent the Trojan from connecting to the questionable domain. McAfee also reports that this Trojan is detected by its DAT files as of 02/04/09.

This security issue was first made public by the SANS Institute in a blog entry by Lenny Zeltser, who is "a member of the Board of Directors at SANS Technology Institute and a senior faculty member at SANS." In the blog, he summarizes this security issue this way:

"Attackers continue to come up with creative ways of tricking potential victims into installing malicious software. Merging physical and virtual worlds via objects that point to websites is one way to do this. I imagine we'll be seeing such approaches more often."

It's anyone's guess as to what other "physical world"-based scenarios will pop up that will lead users to online threats. Perhaps the only words of warning we can provide are to use security software, make sure your security software is up to date, and be suspicious and skeptical of any unknown site.