Windshield Parking Violation Fliers Lead People To Malicious Web Site Spreading Malware

How would you like to find a yellow parking violation flier on your windshield that gets you to visit a malicious website?

How nice of these hackers to distribute fliers that advertise a malicious site that will download malware onto your computer. This is the first time I heard about this and I had to share it with you.

A new report by Lenny Zeltser, a SANS analyst, describes this new approach that tricks people into obtaining malware via a parking violation notice on their windshield. This is pretty low if you ask me. Only if someone would catch these people red-handed or should I say YELLOW-handed.

This new incident occurred in Grand Forks, North Dakota where people returned to their cars only to find a yellow flyer on the windshield that says the following:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to THIS WEBSITE (Site not disclosed for your protection)

Image of flier:

[source: /isc.sans.org]

If anyone visits the website listed on this flyer it will show a picture of cars in a parking lot with a message above it that says:

To view pictures of your vehicle from Grand Forks, North Dakota download here: CLICK ME FOR THE PICTURE SEARCH TOOLBAR.

The attack from that link is a conventional method of spreading malware. It will then lead you to install a program to display the picture that you wish to see on this site "of your vehicle". The file for the install is PictureSearchToolbar.exe which is tied to DNS queries for childhe.com which is a domain that has a bad reputation. Even if you did not have an internet connection this file will still install malware in the form of a DLL in C:\Windows\system32. The files identified are tuvwwUlj.dll and iifdbCVn.dll and the MD5 of the dll file is 5f7e6f158592f0a5036d79cc63388d29.

This malware attack was found to install an Internet Explorer Browser Helper Object (BHO) after your system is rebooted. After the initial install and reboot of your system then the fun begins. You start to get popups and the unfortunate reports of a virus detected while it may offer a fake solution by purchasing some malware application.

Hackers and thieves continue to come up with creative ways to spread their malware programs and files ultimately for monetary gain. From this new report it is obvious that they will go to great new lengths to do this even if it means almost confronting you face to face. Let me catch one of these guys putting fliers on my car, it will be the last time that they get to walk as a free person!