Bl4ck: Coming Soon to a Hacked Page Near You

| | Comments (3)

Quite often, you'll come across a website that's been hacked and admire the no doubt humorous picture, comical text and "advice" given to the site Admin as little more than a harmless prank and something to be filed away on a hacked site archive. Well, beware because many of those "hacked site" archives don't clean up the pages beforehand - you'll likely be hit with something nasty if the hacker decided to put something evil there. And wouldn't you know it if we have one such example for you coming up?

An individual under the alias of of SnIpEr_SA is currently making his way through as many domains as he can handle (currently up to 25+ in the last ten days, which isn't very prolific thankfully) and leaving a little "present" for anyone unlucky enough to view his pages while using IE:

http://blog.spywareguide.com/upload/2006/08/bl4ck1-thumb.jpg
Click to Enlarge

As you can see, the file (a 5kb MS-DOS application) is downloaded to the Temp files. The interesting aspect about this file is its strange behavior.

http://blog.spywareguide.com/upload/2006/08/bl4ck22-thumb.jpg
Click to Enlarge

In fact, it doesn't seem to do much of anything, which simply makes me all the more suspicious. Closer examination of the file reveals some interesting findings. Usually inside the code of a malicious application reveals all kinds of things - additional download links, clues with regards what the file does, passwords, the name of the creator...you name it, we've found it on our travels. However, this is the first time I've looked inside a file like this and found what appears to be the HTML for a webpage telling you "this account has been suspended". Even stranger, there's a number of links to various webhosting companies (but not specific download links, as you would expect), an advert link and a reference to Elitemediagroup.

As a parting thought, it's worth noting that if you go to websites such as Zone H to view the latest archived webpage defacements, they do indeed include the above hacks by SnIpEr_SA. However, they also include the infection file, which raises the interesting question of how many people over the last however many years have been infected by viewing archived defacements.

Suddenly, checking out all those cool hacks doesn't seem quite as appealing...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

3 Comments

I will continue to visit enjoyed the reading thanks

HI there! Just want to say that I find your site enough interesting for me. Though interesting for me. Usefull information and all is good arranged. I will visit your site more ofter from now and I bookmarked it.
. Thank you for your work.

myspace has been hit with this assholish virus ^^

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 29, 2006 10:20 AM.

WhenU "Partner" Pushes "Myspace" Videos in P2P Land was the previous entry in this blog.

Browzar: The Story So Far is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.