A massive earthquake struck near the Chilean city of Concepcion in the early hours of the morning of February 27th, 2010. The quake measuring 8.8 on the Richter scale was considerably stronger than the one that recently caused widespread destruction on the island of Haiti. Fortunately, despite the size of this latest quake, so far there has been few reported casualties. The quake occurred near the coast and tsumani warnings were issued for many countries bordering on the Pacific ocean. Unfortunately as with any major news event, miscreants are not slow to pounce when such opportunities arise to further their aims.
Search engine results returned for terms such as “Chile Earthquake” are being poisoned to lead users to rogue antivirus web sites.
.....
http://www.symantec.com/connect/blogs/massive-earthquake-chile-leads-surge-rogue-antivirus
For further investigation and curiosity, I changed the keywords a little and to my surprise the rogue antivirus webpages are appearing on the first google search page.
Any combination of keywords such as tsunami, santiago, chile, earthquake, pictures, etc. would display poisoned search results on google. Many of the results appear to be compromised legitimate websites. A small sample of such websites include the following (enter at your own risk):
hxxp://papeteriengrosshandel.ch/pap.php?q=santiago-earthquake
hxxp://jashburn.org/pot.php?sell=santiago%20earthquake
hxxp://borderchorders.org/fjn.php?m=santiago%20chile
hxxp://2009.v3lingyue.com/ydx.php?t=santiago%20chile
hxxp://www.cyprusbestcompanies.com/phocadownload/ddo.php?q=usgs+chile+earthquake
hxxp://www.pennbrew.com/index2.php?p=chile-earthquake
hxxp://joaap.org/wuw.php?do=chile%20earthquake%20facts
hxxp://addsisli.org/jxz.php?page=chile%20earthquake%201960%20facts
hxxp://hnhmp.com/xvauhiqo/earthquake23049.php
hxxp://neuromodfound.org/jvv.php?do=chile%20earthquake%202009
hxxp://chinadowntown.com/chi.php?q=chile-tsunami-2010
hxxp://www.nudeyrudey.co.nz/nud.php?q=chile-earthquake-1960
hxxp://bannerdesigns.co.za/ban.php?q=chile-earthquake-1960
hxxp://sbk.com.pl/njenh/sokzp.php?tsunamis-earthquake
hxxp://www.justlite.com/xaftk/gzlk.php?earthquake-tsunami-photos
hxxp://ymc.kr/gjux/fsa.php?california-earthquake-tsunami-possibility
hxxp://theperfumeseller.com/the.php?q=chile-quake-map
hxxp://cpbusa.com/cbp.php?q=earthquake-chile
hxxp://www.mindmakers.nl/26omall/14.php?q=earthquake+worksheeta
hxxp://n.clanstar.org/ykopo.php?c=pictures-of-earthquake-in-chile
hxxp://12a1nhc.com/bxg.php?do=chile%20earthquake%201960%20pictures
hxxp://refinedwebdesigns.com/zgu.php?go=chile%20earthquake%201960%20pictures
hxxp://files.liamfiddler.com/xsy.php?o=earthquake-in-chile-today
hxxp://10500bcfilms.com/ttx.php?in=chile%20earthquake%202010
hxxp://diamond-virgin.net/fdz.php?p=chile%208.8%20earthquake
hxxp://jaredunderwood.com.au/yhy.php?f=recent-earthquake-chile
Each of the above pages would direct users to the following sites which would display fake antivirus alerts:
hxxp://188.124.5.159/index.html
hxxp://188.72.246.99/index.html
hxxp://you22tube.com/?id=103&ids=cb7c54&d=1&s=2
hxxp://www1.dotout-forscan-get.in
hxxp://www1.dotoutfor-scanget.in/
hxxp://www1.letfastscanand-cure.in/
hxxp://www1.dotwin-to-scan-get.in/
hxxp://www1.dotwintoscan-get.in/
hxxp://www1.setfast-scan-and-cure.in
hxxp://scan1.run-spyware-a0.com
hxxp://www1.let-fast-scanandcure.in/
Some of the sites include a payload for unpatched browsers. Additionaly, clicking anywhere on the site would prompt an unwary user to download the installation file for the rogue antivirus.
So far, I have picked up three different variants of malware files from the above pages. Two of the malicious files were reported to MMPC. The third variant was somwhat blocked in my machine.
The first file is currently detected by 11 out of 41 security vendors as shown here: http://www.virustotal.com/analisis/fabca4efdaf5c89d36e153637fbe92bc130f62812d6261833b073a23240260c8-1267321093
The second file is detected by only 6 out of 41 security vendors: http://www.virustotal.com/analisis/6120d00068c7e9c15c664ca0aefbbea6a5e97c589074007635bfffad8ef49e9f-1267350125
All of the above urls have been submitted to malwareurl.
Posts
No comments:
Post a Comment