Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Downloader.Liftoh Cousin to W32.Phopifas?

Created: 23 May 2013 21:04:25 GMT • Updated: 23 Jan 2014 18:07:04 GMT • Translations available: 日本語
Rodrigo Calvo's picture
+1 1 Vote
Login to vote

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

  1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including goo.gl, url9.de, fur.ly, bit.ly, and is.gd.
     
      image1xb.png
     
    Figure 1.
    Malicious Skype message
     
  2. If the victim clicks on the shortened URL, they are redirected to a URL on the 4shared.com website.
     
  3. Once on the 4shared.com website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
     
  4. If the victim unzips the file, they will find an .exe file inside.
     
  5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.
     

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.
 

image2x.png

Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20
 

image3x.png

Figure 3. Downloader.Liftoh Latin American click rate distribution
 

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.