This is how I analyze root cause for rogue trojans on ad servers aggregated for many clients like Paltalk.

1. Paltalk Rogue Trojan loader from PalNet Ad Server Captured by Sunny Sky50m @PCTECH

3. The Rogue Online Scanner The Paltalk Today window popped up from the background to the top of the desktop. It behaved like any webpage but without an address bar. In this window, it shows a fake Windows System Task on the left with fake Explorer folders and fake trojan scanner results. It looked like an active animated online program, but was actually a harmless animated GIF or PNG file, thus going undetected by any AntiMalware software. In this case just pretending to be an online Security Scan but with an embedded hyperlink supplied by PALNET server and if clicked went straight to the resulting Trojan server to initiate a download.. “ to Fix your Infected Computer! (not!) <<< Clicking anywhere on the Paltalk Today window triggers the Trojan download . ”inst.exe”

4. Where does the Trojan come from? whois 85.12.44.148? inetnum: 85.12.44.128 - 85.12.44.255 netname: XS-24 descr: XS-24 international ltd country: nl admin-c: PL2400-RIPE tech-c: TW1148-RIPE status: ASSIGNED PA mnt-by: EUROACCESS-MNT source: RIPE # Filtered person: PC Leurink address: EuroAccess Enterprises Ltd. address: Alsacelaan 5 address: 5627 CA Eindhoven, The Netherlands phone: +31 (0)20-7173209 +31 (0)20-7173209 fax-no: +31 (0)40-2488764 e-mail: mnt-by: EUROACCESS-MNT nic-hdl: PL2400-RIPE source: RIPE # Filtered person: TA Westervoorde address: EuroAccess Enterprises Ltd. address: Alsacelaan 5 address: 5627 CA Eindhoven, The Netherlands phone: +31 (0)20-7173209 +31 (0)20-7173209 fax-no: +31 (0)40-2488764 e-mail: mnt-by: EUROACCESS-MNT nic-hdl: TW1148-RIPE source: RIPE # Filtered

6. Which AV missed detecting this Malware? inst.exe was saved, and was sent to www.virustotalcom for analysis. The results showed this file could kill processes, read & write files using in the kernel32.dll ( 2 imports ) > USER32.dll: CreateWindowExA, GetTaskmanWindow, MessageBoxA, GetMessageExtraInfo, UpdateWindow, CreateWindowExW, SendMessageA > KERNEL32.dll: ExitProcess, CreateFileW, WriteFile, ReadFile, GetVersionExW, GetModuleHandleW, DuplicateHandle, CloseHandle VIRUS-TOTAL RESULTS File inst.exe received on 2010.03.27 21:49:18 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 8/42 (19.05%) {detected by 8 of 42 malware software types} Version Last Update Result a-squared 4.5.0.50 2010.03.27 - AhnLab-V3 5.0.0.2 2010.03.27 - AntiVir 7.10.5.241 2010.03.26 - Antiy-AVL 2.0.3.7 2010.03.26 - Authentium 5.2.0.5 2010.03.27 - Avast 4.8.1351.0 2010.03.27 - Avast5 5.0.332.0 2010.03.27 - AVG 9.0.0.787 2010.03.27 - BitDefender 7.2 2010.03.27 - CAT-QuickHeal 10.00 2010.03.27 - ClamAV 0.96.0.0-git 2010.03.27 - Comodo 4407 2010.03.27 - DrWeb 5.0.1.12222 2010.03.27 - eSafe 7.0.17.0 2010.03.25 - eTrust-Vet 35.2.7391 2010.03.26 - F-Prot 4.5.1.85 2010.03.27 - F-Secure 9.0.15370.0 2010.03.27 - Fortinet 4.0.14.0 2010.03.27 - GData 19 2010.03.27 - Ikarus T3.1.1.80.0 2010.03.27 - Jiangmin 13.0.900 2010.03.27 - K7AntiVirus 7.10.1004 2010.03.22 - Kaspersky 7.0.0.125 2010.03.27 Packed.Win32.Krap.ai McAfee 5933 2010.03.27 FakeAlert-KW.e McAfee+Artemis 5933 2010.03.27 FakeAlert-KW.e McAfee-GW-Edition 6.8.5 2010.03.27 Heuristic.BehavesLike.Win32.Packed.K Microsoft 1.5605 2010.03.27 Trojan:Win32/Winwebsec NOD32 4978 2010.03.26 - Norman 6.04.10 2010.03.27 - nProtect 2009.1.8.0 2010.03.27 - Panda 10.0.2.2 2010.03.27 - PCTools 7.0.3.5 2010.03.27 - Prevx 3.0 2010.03.27 - Rising 22.40.05.04 2010.03.27 - Sophos 4.52.0 2010.03.27 - Sunbelt 6101 2010.03.26 FraudTool.Win32.SecurityTool (v) Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight TheHacker 6.5.2.0.246 2010.03.27 Trojan/FakeAV.gen TrendMicro 9.120.0.1004 2010.03.27 - VBA32 3.12.12.2 2010.03.27 - ViRobot 2010.3.27.2248 2010.03.27 - VirusBuster 5.0.27.0 2010.03.27 -