A Hijack that's All Smiles...

| | Comments (7) | TrackBacks (2)

...or should that be Smileys?

Check out the below site:

http://blog.spywareguide.com/upload/2006/05/dbrdl3-thumb.jpg
Click to enlarge

Looks nice and innocent, right? Mr Smiley of Smiley Central looking all happy and, er, smiley on a website that basically fires you off to various top 100 lists and other "get this now" kinds of places.

Sadly, this website has something nasty lurking in the background - because if you know where to look, the startled expression on Mr Smiley's face is given a whole new meaning. Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen), and...:

http://blog.spywareguide.com/upload/2006/05/dbrdl1-thumb.jpg

Is this an executable I see before me? Looks like it! Run the thing, and before you know it, your desktop is covered with all manner of popups and icons and who-knows-what else:

http://blog.spywareguide.com/upload/2006/05/dbrdl2-thumb.jpg
Click to enlarge

The startled look on Mr Smiley's visage is looking more and more like a horrified grimace, isn't it?

Interestingly, the payload is incredibly similar to the one covered here, minus the Zango installer (though a call is made to Zangocash.com).

Once again, we see friendly smileys subverted and used for the purpose of evil, instead of good.

Whoops.

2 TrackBacks

Listed below are links to blogs that reference this entry: A Hijack that's All Smiles....

TrackBack URL for this entry: http://blog.spywareguide.com/mt-tb.cgi/259

Gotta Catch 'Em All- PokaBots from ReveNews - Wayne Porter: Greynets, Malware, Adware & Spyware Research- E-commerce on May 26, 2006 1:35 PM

Like the game of Pokemon card trading this week has been great for my collection of rogue files and dicey action. The hot form of action in the underworld seems to be botnets. PaperGhost reports: It's official - we've all gone Botnet crazy. Unfortunate... Read More

A typical lament: ?I just go to Amazon and Citibank, so why am I seeing pop-ups for Adult Friend Finder?? Parents, we have an answer ? your teenager. One of the benefits of testing so much of the Web is that we?ve developed a good sense of wher... Read More

7 Comments

Most interesting, especially the screenshots. I'm intrigued and wondering where this came from.

> Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen),

Maybe I've misunderstood something; but if the visitor can't download the hijacker executable file by clicking on any displayed links, and instead must know a "super-secret" URL, then it's unclear to me how sites like this one could ever pose a real malware-propagation problem. This seems like the anti-"drive-by download", and "security by obscurity" appears to work against getting the malware onto the box.

hi Mark, it's just one of many websites that store hijack executables behind an otherwise innocent facade - of course, the link will be pimped via IM and chat, the visitor won't be hit by going to the "proper" webpage. I just think it's rather cool when you find one of these ;)

Ah. Thanks, PG, got it.

heheh don't worry about it, I should have made it clearer. What can I say, I just get excited about these things!

Just in case anyone was wondering: They are most certainly not affiliated with Smiley Central or FunWebProducts in any way, shape, or form. We're working on getting that image taken down (at minimum). If by chance anyone should ever come across anything like this in future, I'll give a Smiley T-Shirt or Smiley Mug to the first person that emails me the URL.

Cheers,
-K

klawrence at ask (dot) com

Kirk Lawrence
Director, Internet Security & Privacy
IAC Search & Media

BTW - The site and the spyware are down now.

-K

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 26, 2006 6:31 AM.

Understanding Enterprise IM- Free Seminar was the previous entry in this blog.

A Tiny Botnet... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.