Downloader.Liftoh Cousin to W32.Phopifas?

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

  1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including,,,, and
    Figure 1.
    Malicious Skype message
  2. If the victim clicks on the shortened URL, they are redirected to a URL on the website.
  3. Once on the website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
  4. If the victim unzips the file, they will find an .exe file inside.
  5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.


Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20


Figure 3. Downloader.Liftoh Latin American click rate distribution

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.

Taking the Shortcut to Malicious Attacks

Taking the Shortcut to Malicious Attacks 

Shortened URLs have become popular in recent years as a means of conserving space in character-limited text fields, such as those used for micro-blogging. Some URLs consist of a substantial number of characters that can eat up character limits, break the flow of text, or cause distortions in how Web pages are rendered for users. URL shortening services allow people to submit a URL and receive a second, specially coded shortened URL that redirects to the original URL. When a user clicks on the shortened URL, the service will redirect the person to the submitted Web page.

Attackers are taking advantage of this type of service because it helps to hide the actual destination URL. Attackers use the shortened links, which may or may not be legitimate, to lead unwitting users to malicious websites that are designed to attack any system using a vulnerable browser. 

Social networks are a security concern for organizations because they provide an effective platform for attackers to launch this type of attack. Users who see a link posted by a friend may be more likely to trust (and click on) links posted on social networking sites, with little fear of danger. Therefore, an attacker who compromises a social networking account can prey on the inherent trust of the social network connected to that account and post URLs that link to malicious websites. During a three-month observation period in 2010, two-thirds of the malicious URLs observed on social networks were shortened URLs. Currently, most malicious URLs on social networking sites lead to websites that are hosting attack toolkits.

Using malicious shortened URLs can be a very successful method of attack. Symantec measured the number of times a malicious shortened URL was clicked on to determine the success of the link. Of the shortened URLs leading to malicious websites that Symantec observed on social networking sites over a four-month period in 2010, 88 percent were clicked on at least once.

As more people join and frequent social networking sites and the sophistication of these sites grows, it is likely that more complex attacks will be perpetrated through them, including the use of malicious shortened URLs. In addition, these threats should be a concern for network administrators because many users access their social networks from work computers. Users should ensure that they monitor the security settings of their profiles on these sites as much as possible, especially because many settings are automatically set to share a wealth of potentially exploitable information. It is up to the user to restrict access to his or her social networking profile.

For further information on these and other malicious attacks, please refer to the Symantec Internet Security Threat Report, Vol. 16.

Caught You Clickin’

For those of you who arrived on this page after clicking on our link, we caught you clicking! Not that we blame you, though. After all, everyone loves clicking on links!

However, this just goes to show why social engineering is as effective in spreading malware today as it was exactly ten years ago, when the Anna Kournikova virus sped across the Internet almost as fast as the tennis star’s serve.

The virus was so successful because, well, let’s face it, everyone wanted to check out the athletic beauty’s latest picture. In the end, though, all they got was a malware infection and a hard life lesson: "curiosity killed the cat."

The fact of the matter is that not much has changed in this regard. Today, just about anyone or anything making headlines seems to be fair game for malware authors and phishers to exploit. The popularity of shortened URLs—which, as a byproduct, disguise where link-clickers are actually being taken—has only made the problem more challenging. In fact, the majority of today’s shortened URLs are malicious, but that’s a discussion that will have to wait until Symantec releases its Internet Security Threat Report XVI later this year.

In the meantime, here’s our full blog post on the ten year anniversary of the Anna Kournikova virus: