Malware stops the music at Spotify.com

Malware stopped the music at Spotify.com – especially for listeners in the Sweden and the UK.

According to the avast! Virus Lab, the majority of Spotify users reporting the malware were in Sweden (59%), followed by a large group (40%) in the UK. The remaining 1% came from other countries. There were no reports from France – an interesting twist due to the large avast! user base there.

The poisoned ads were likely served up in specific geographic areas, resulting in the predominance of Swedish and UK reports. Geographic dispersal is a function of how and where Spotify operates as they don’t have the right to distribute music in the United States.

The malware was contained in a poisoned advertisement, with the PDF exploit “JS:Pdfka-gen [Expl]“, attempting to put a fake antivirus on visitors’ computers. According to VirusTotal, we were the first ones to detect the pdf. The attack took place during the week of March 21, 2011.

For a detailed report on the Spotify attack, read the websense.com report.



https://blog.avast.com/2011/03/28/malware-stops-the-music-at-spotify-com/?utm_source=twitter&utm_medium=twitterfeed&utm_campaign=blog

This was a Xor-encoded.A virus: http://www.pandasecurity.com/homeusers/security-info/194318/Xor-encoded.A/
One could use 256 XOR’s per byte (well actually 255 for XOR-0 does not do a thing), decrypting when the executable starts, simple XOR is easily being detected as a means of weak encryption.
See: http://nakedsecurity.sophos.com/2010/08/31/encryption-encryption-key/

See where it is used for good purposes: http://www.forensickb.com/2008/03/xor-entire-file-or-selected-text.html

polonus