- A Hijack that's All Smiles...
...or should that be Smileys?
Check out the below site:
Looks nice and innocent, right? Mr Smiley of Smiley Central looking all happy and, er, smiley on a website that basically fires you off to various top 100 lists and other "get this now" kinds of places.
Sadly, this website has something nasty lurking in the background - because if you know where to look, the startled expression on Mr Smiley's face is given a whole new meaning. Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen), and...:
Is this an executable I see before me? Looks like it! Run the thing, and before you know it, your desktop is covered with all manner of popups and icons and who-knows-what else:
The startled look on Mr Smiley's visage is looking more and more like a horrified grimace, isn't it?
Interestingly, the payload is incredibly similar to the one covered here, minus the Zango installer (though a call is made to Zangocash.com).
Once again, we see friendly smileys subverted and used for the purpose of evil, instead of good.
Whoops.
Most interesting, especially the screenshots. I'm intrigued and wondering where this came from.
Posted by: suzi | May 26, 2006 10:43 PM
> Enter the URL for the super-secret hidden Executable (instead of randomly clicking any of the links displayed onscreen),
Maybe I've misunderstood something; but if the visitor can't download the hijacker executable file by clicking on any displayed links, and instead must know a "super-secret" URL, then it's unclear to me how sites like this one could ever pose a real malware-propagation problem. This seems like the anti-"drive-by download", and "security by obscurity" appears to work against getting the malware onto the box.
Posted by: Mark Odell | May 28, 2006 03:54 PM
hi Mark, it's just one of many websites that store hijack executables behind an otherwise innocent facade - of course, the link will be pimped via IM and chat, the visitor won't be hit by going to the "proper" webpage. I just think it's rather cool when you find one of these ;)
Posted by: Paperghost | May 28, 2006 10:50 PM
Ah. Thanks, PG, got it.
Posted by: Mark Odell | May 29, 2006 09:31 AM
heheh don't worry about it, I should have made it clearer. What can I say, I just get excited about these things!
Posted by: Paperghost | May 29, 2006 09:37 AM
Just in case anyone was wondering: They are most certainly not affiliated with Smiley Central or FunWebProducts in any way, shape, or form. We're working on getting that image taken down (at minimum). If by chance anyone should ever come across anything like this in future, I'll give a Smiley T-Shirt or Smiley Mug to the first person that emails me the URL.
Cheers,
-K
klawrence at ask (dot) com
Kirk Lawrence
Director, Internet Security & Privacy
IAC Search & Media
Posted by: Kirk Lawrence | June 1, 2006 09:14 AM
BTW - The site and the spyware are down now.
-K
Posted by: Kirk Lawrence | June 16, 2006 11:37 AM