Adware / Spyware Issues: July 2007 Archives

Not too long ago, a number of blogs were apparently compromised and redirects were put in place to lead you to a rogue antispyware application called Malware Alarm. Well, it looks like whoever was behind it decided to ditch the idea of compromising blogs, settling instead for setting up hundreds of Spam Blogs, pasting in some Javascript and watching all Hell break loose.

All of the spam profiles seem to have been created in July, here's a short sample:

http://blog.spywareguide.com/upload/2007/07/splog1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/07/splog2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/07/splog3-thumb.jpg
Click to Enlarge

If you visit one of the infected sites, you'll see the "real" blog page appear for a second or two:

http://blog.spywareguide.com/upload/2007/07/splogcontent-thumb.jpg
Click to Enlarge

...and then you'll be redirected to content that could be classed as "undesirable", and that's being incredibly generous.

By searching on code / URLs used in the hijack (and there are at least two sites perfoming redirects in combination with the Javascript employed by the bad guys), we can see that the grand total of Blogs carrying this hijack so far is...

numberofsites1.jpg

...ouch. So far, around 1694 Blogs are carrying this redirect, and there could well be other blogs out there not accounted for yet. At this point, you're probably wondering what kind of content you're redirected to, right? Well, the answer is not particularly pleasant for any number of reasons. Some of the Blogs will send you here:

http://blog.spywareguide.com/upload/2007/07/assault-thumb.jpg
Click to Enlarge

"Teenage Assault", a hardcore rape site so extreme in its content that the only thing we can show you in the screenshot is the title on the main page. Presumably anyone crazy enough to sign up to the site and pay the joining fee will earn whoever is behind this some affiliate related cash.

The second stop is....

http://blog.spywareguide.com/upload/2007/07/zlob-thumb.jpg
Click to Enlarge

Another spectacularly graphic page, this time a landing site for the ever-popular Zlob Trojans (which pose as Codecs needed to play pornographic content). There are many variations on these landing pages and the content is always a non-joy to behold.

Our final destination makes up the bulk of the redirects, and (as you might have guessed already) our finishing point is...

http://blog.spywareguide.com/upload/2007/07/malarm1-thumb.jpg
Click to Enlarge

....Malware Alarm! If you fall for the fake YOUR PC IS DOOMED advertising, then you'll see the below scanner doing its job (telling you your PC is still doomed, unless you pay them money to "unlock" the scanner and remove all those horrible infections it claims you have):

http://blog.spywareguide.com/upload/2007/07/malarm2-thumb.jpg
Click to Enlarge

Of course, if you don't pay up, then you can expect endless nag screens appearing in the middle of your screen like this:

http://blog.spywareguide.com/upload/2007/07/malarm3-thumb.jpg
Click to Enlarge

For now, the easiest way to avoid this is to disable Javascript. We've notified Google, and as far as we can tell, they've already nuked every single example given above. As I mentioned earlier, there could well be other domains out there performing these redirects so a little vigilance may be called for over the next few weeks. Either way:

http://blog.spywareguide.com/upload/2007/08/blog404-thumb.jpg
Click to Enlarge

....that's the best thing I've seen all day.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

A Zlob Trojan guy has posted on a Security Forum, wondering why nobody likes his infection files.

Watch things explode here. Thanks to Suzi for the tip!

Recently, there have been a number of weblogs, forums and chatrooms where spam messages advertising a videogame similar to the below have been posted:

http://blog.spywareguide.com/upload/2007/07/tellmehowisit-thumb.jpg
Click to Enlarge

If you go to the YouTube video in question, you'll see the enticing prospect of what appears to be a "Grand Theft Auto game" (touted on the Modding sections of a number of GTA forums), though the modern day graphics seem to have taken a step back in time....to 1986.

http://blog.spywareguide.com/upload/2007/07/ytgtaclip1-thumb.jpg
Click to Enlarge


http://blog.spywareguide.com/upload/2007/07/ytgtaclip2-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/07/ytgtaclip3-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/07/ytgtaclip4-thumb.jpg

Click to Enlarge


As there have been a number of security stories related to YouTube in the media lately, let me say this right now: There is NO danger posed to your system through direct contact with the movie clips contained on the YouTube site itself...the "GTA Hood Life" clip is perfectly safe to play and watch. The bad guys are simply using movie files to advertise the bait (in the form of the game), at which point you go to an external website provided in the clip description text.

http://blog.spywareguide.com/upload/2007/07/gtadownloads-thumb.jpg
Click to Enlarge

As you can see, 54 people have downloaded the file so far. I love it when virus writers use free hosting services that give you a general idea of how much damage they're likely to have done (though of course the file could quite easily be hosted elsewhere, too).

Anyone in the group of 54 unfortunate enough to have executed the installer will see what appears to be a legitimate installer procedure:

http://blog.spywareguide.com/upload/2007/07/gtainstaller-thumb.jpg
Click to Enlarge

So far, so good. The installer completes, you run the game and once it finishes loading, you'll be doing drive-bys and coming straight outta Compton in no time at all, yes?

Er....

gtaloading.jpg

.....nothing to worry about, I'm sure. The Loader just seems to be a little slow, that's all....

gtafailed.jpg

Whoops. Looks like a hard knock life will have to wait (along with oversize novelty clocks) while we tackle the more immediate concern that not everything appears to be quite right with this PC. Yo.

Switching off the PC pretty much spells doom, gloom and other things ending in "oom" because once the desktop reappears, you'll discover that the only drive-by performed today was on your computer.

http://blog.spywareguide.com/upload/2007/07/gtahahaha-thumb.jpg
Click to Enlarge

As you might have guessed from the screenshot, your PC will shutdown (thanks to a pair of batch files) and you won't be able to do much with it unless you know about booting up in safe mode to avoid endless automated shutdowns. For what it's worth, the batch files are supposed to display the following, but it shuts off the PC before it can trigger - thanks to some technical hoodoo voodoo, we can show the popup:

gtahaha.JPG

....yeah, awesome. Thanks.

Anyway, exploring the video files uploaded by the YouTube user is pretty interesting - here's a shot of a clip where they tell us about an infection they had on their PC:

http://blog.spywareguide.com/upload/2007/07/pcvirusinfection-thumb.jpg
Click to Enlarge

.....and here's a shot of a clip where they show us how to "make a fatal virus":

http://blog.spywareguide.com/upload/2007/07/victems-thumb.jpg
Click to Enlarge

It's somewhat strange that they're offering help with some videos and directing people to files that cripple your PCs ability to start up with others, but maybe that's the way it is when you're West Side for Life.

And yes, I am profusely sorry for all the lame Gangsta jokes.

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Pages

About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from July 2007.

Adware / Spyware Issues: June 2007 is the previous archive.

Adware / Spyware Issues: August 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.