Blog Hijackings Lead to Zlob, Rape Porn and Rogue Antispyware

| | Comments (0)

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

http://blog.spywareguide.com/upload/2007/07/splog1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/07/splog2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/07/splog3-thumb.jpg
Click to Enlarge

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

http://blog.spywareguide.com/upload/2007/07/splogcontent-thumb.jpg
Click to Enlarge

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...

numberofsites1.jpg

...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

http://blog.spywareguide.com/upload/2007/07/assault-thumb.jpg
Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

http://blog.spywareguide.com/upload/2007/07/zlob-thumb.jpg
Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

http://blog.spywareguide.com/upload/2007/07/malarm1-thumb.jpg
Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

http://blog.spywareguide.com/upload/2007/07/malarm2-thumb.jpg
Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

http://blog.spywareguide.com/upload/2007/07/malarm3-thumb.jpg
Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

http://blog.spywareguide.com/upload/2007/08/blog404-thumb.jpg
Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on July 31, 2007 7:59 AM.

Security Attacks On The Rise in IM and P2P Channels was the previous entry in this blog.

Spammers Move Onto .FDF Files is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.