Following on from the IST (Internet Service Team) and their blackhat SEO involving Google, we've got yet another example of Google poisoning, this time from Netelligent Hosting Services Inc and going via SteepHost and Layered Tech.
Unlike the previous one, that contained the script directly, this one contains random rubbish on the site itself, but loads a file called script.js;
vURL Online - Dissect - http://test-file-and-windows-defender.mycepi.net
script.js is pretty much the same as the last one, in that it checks the referer, and ONLY redirects to the malware, if you've come from a search engine result;
If you've NOT come from a search engine result, you're taken directly to Google.com.
vURL Online - Dissect - http://test-file-and-windows-defender.mycepi.net/script.js
If however, you've come from a search engine such as Google, you're taken instead, via zodune.info (220.127.116.11) to bestwebscantools.com (18.104.22.168);
Where you're presented with the following scare tactics;
install.exe - MD5: 924393ff9b991829ade66d9fe21bc29f
This package is 466KB of roguerific goodness called System Security 2009, and is a WinWebSecurity variant. This particular variant, is currently only detected by a-Squared (Trojan.Win32.Winwebsec!IK), Malwarebytes Anti-Malware, BitDefender (Gen:Trojan.Heur.HY.D1827D7D7D) and Ikarus (Trojan.Win32.Winwebsec).
bestwebscantools.com, like all of the rest, shares it's IP address, with a whole host of rogueified goodness, including;
Sadly, Anubis doesn't seem to be feeling too well at the moment, as it errored out when I tried submitting the file to it, so I submitted it to JoeBox and ThreatExpert instead. The Threat Expert report is referenced above, but JoeBox haven't gotten back to me yet, so I'll post that when it comes through.
In the meantime, feel free to go have a shout at the hosting companies providing the hosting for this rubbish.