There's slightly more to it than just spam for promotion of porn pages via Google. Looking through the code, shows multiple redirections via 301 then 302, which eventually leads to a Cernel hosted site that will infect the unsuspecting user with the Zlob trojan;
Start here;
http://vurl.mysteryfcm.co.uk/?url=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=4&ref=
/Begin edit 22-09-08 00:58
A check a few seconds ago, shows the aarp profile no longer exists. Alas there doesn't seem to be a cache of it either ....
/-End edit 22-09-08 00:58
Next, it leads you to;
http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/in.cgi?2¶meter=teen+galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://www.aarp.org/community/c1w2y8
If you look at the headers (displayed just above the source code), you'll notice the 301 via joyfulclipz.com followed by the 302 via breeddirect.com.
The final result, is the Zlob trojan (12K UPX, 32K unpacked (Visual C++ 6 file) - setup.exe), courtesy of movsdevices.com, as shown in the source at the following.
http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/st/st.php?cat=63&script=1&url=http://www.wootmovs.com/m4/index.php?id=1117&n=teen&a=fireplace&v=2133734&preview=http://img2.joyfulclipz.com/st/thumbs/010/7598829497.jpg&p=100&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://plzwait.info/in.cgi?2¶meter=teen%20galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8
Detection for the file, packed and unpacked, is rubbish :o(
Packed (5/36)
http://www.virustotal.com/analisis/a65ca4aea5af13882b9e3c340a419922
Unpacked (1/36)
http://www.virustotal.com/analisis/9f242182ca38a09c4e050043e22b5b76
Alas I'm in the process of fixing my laptop at the moment, so I'll leave the detailed analysis of the executable to someone else.
Sites involved:
breeddirect.com (78.157.143.200)
joyfulclipz.com (78.108.177.124)
img2.joyfulclipz.com (78.108.177.124, also valid as img1-4.)
wootmovs.com (78.157.143.133)
movsdevices.com (77.91.231.201)
References:
AARP Site Hacked and Spammed
http://www.mxlogic.com/itsecurityblog/1/2008/09/AARP-Site-Hacked-and-Spammed.cfm
Porn Operators Hijack Pages on AARP Website
http://www.darkreading.com/document.asp?doc_id=164115&f_src=darkreading_section_296
Knew I'd find the original reference that led me to this ;o)
Porn Operators Hijack Pages on AARP Website
http://temerc.com/forums/viewtopic.php?f=4&t=5780
Thursday 18 September 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment