I've just had an e-mail from a friend, with the subject "Gumblar gets all the attention, but the other guys are still busy too", and he couldn't be more right - the recent spate of Gumblar/Martuz infections are garnering all of the press coverage, with the rest going relatively ignored - well I won't stand for that. There's more than one infection going around, and this particular one involves not Google poisoning - but Live poisoning (Live for those folks unaware, is Microsofts search engine).
The Live.com query was for nothing more nefarious than a cupcake recipe, and the infected domain, regishouse.org, a hacked participant.
If we look at the regishouse.org source code, we immediately notice the following;
Following this URL sends us through a couple of redirects, with the final destination apparently varying. I didn't record the first time I followed it, but the report I received showed the following;
The second time I followed this, in order to document it for you fine folks, I was finally taken from gje.stakeshouse.cn through;
Now I'm not saying they're paranoid but, apparently these fine folks want to ensure you're using Flash, presumably, to make it more difficult to automate analysis (like that's going to work);
So what does this give us? Why a lovely roguerific piece of crapness called System Security Antivirus (WinWebSecurity variant) of course!
Which gives us a lovely little file called install.exe (482K - MD5: e8bba2fc1c2f1a89ad73bc897b424e65)
Result: 6/40 (15.00%)
gje.stakeshouse.cn - 126.96.36.199, 188.8.131.52, 184.108.40.206
autoperformspec.com - 220.127.116.11, 18.104.22.168
dumake.cn - 22.214.171.124
crownsafetytool.com - 126.96.36.199
updateserversoftware.com - 188.8.131.52
Net-blocks involved (recognize them?)