Dropbox - malware distribution
March 21, 2012 - "... a collection of files masquerading as RealNetworks updater executables. These files were all located in a user’s %AppData%\real\update_ob\ directory, and the sizes were all quite consistent... the software is in fact malicious, and that it is actually downloading malicious files from the popular web-based file hosting service Dropbox. These files came in two varieties: some files were randomly-named; other files were named for legitimate software. For example: utorrent.exe, Picasa3.exe, Skype.exe, and Qttask.exe... While some of the potential payloads were not present, some malicious URLs were still active... these target files on Dropbox are not legitimate, and they are definitely malicious. When executed they would write -many- files with legitimate names in generally legitimate locations. In some cases, file icons for the malicious files are not identical to the legitimate software that they are masquerading as.
... the malware obtains instructions from an XML script accessed via a dynamic DNS service that directs it to directs it to download additional malware and utilities from Dropbox and to disable certain antivirus programs which may be running on the infected PC... Another objective of this spy is to collect VERY specific system information, including hardware ID serials, computer and user names, OS version info, AV info, firewall info, UAC status, video device info, and many other pieces of information that no one would want falling into the hands of a stranger... this Dropbox-utilizing spy runs as a chain of downloaders for additional malware; the non-Dropbox-hosted C&C servers can determine what malware is grabbed by the downloaders so ultimately the end result of the infection is almost limitless. Once installed, malicious actions can vary from serving up rogue AVs, installing keyloggers, rootkits, or whatever the cybercrimal fancies. While it’s unfortunate malware writers have exploited this free service to serve their malware, Dropbox users don’t need to fret. There is no indication that legitimate Dropbox accounts were harvested to serve this malware and it is much more likely the writers simply opened their own accounts within Dropbox to carry this action out."
08 Mar 2012 - "... Dropbox is being abused by malware authors, as well as spammers. We recently saw a Brazilian Portuguese malware message claiming to contain photos and asking if they can be put onto a popular social networking site. The links in the email point to a Trojan hosted on Dropbox... This abuse is a good reminder that -any- site which makes user-supplied content publicly available must continue to be vigilant about dealing with abuse. Although Dropbox is a high-profile site, spammers target all sorts of sites, big and small. There are many things that sites do to deal with such abuse, but in some cases this crucial work is often seen as low priority, despite the damage that such abuse can cause..."
13 April 2012 - "... the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."