My friend Tom sent me a couple links earlier, to URL's that were reported to contain worms.
girls.without.clothes.are.on.these.shameful-pictures.com (69.90.81.141 - my.stupid.isp.did.not.update.my.dns - QITX Inc. PEER1-QITX-51)
Not seeing anything other than references to freeze, and login requests in the source code, I created a new MSN account, and duly loaded the page in the browser to see if there was indeed a worm. Alas nope, not thus far.
This one, courtesy of shameful-pictures.com, presents you a lovely little login form, asking for your MSN login details, and yep, it obviously checks if they're valid or not as I tried several times using random and bogus data that it kept rejecting, before I gave up and created a dedicated MSN test account for it.
Needless to say, you aren't given any nude pictures, contrary to it's claim, nor however, was I able to find a worm - I did however, find malware from Freeze.com, which is the only other thing (aside from stealing MSN credentials) this thing seems to give. Once "logged in" (and I use that term very loosely here), you're presented with;
girls.without.clothes.are.on.these.shameful-pictures.com/pics.php
You've no doubt guessed, but I'm going to tell you anyway, that big "Click here to continue" button, leads you to off.freeze.com, but not before it's taken you on a little run-around;
START: 59.152.207.213/redir/?id=1c (IPC-NEWT - Hong Kong)
2. www.cpaclicks.com/secure.asp?e=cinksipisena&d=0&l=0&o=&p=0&subID1=&subID2=&subID3=&subID4=&subID5= (69.18.218.156 - Invision.com, Inc)
3. affiliates.copeac.com/ez/cinksipisena/&dp=0&l=0&p=0 (207.67.0.35 - intermarkmedia.wip.directresponsetech.com - Digital River, Inc. TWTC-DIGITALRIVER)
4. rdt.screensaver.com/?lgid=362&a=8305&f=2338|34103 (207.250.236.170 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)
END: lan.screensaver.com/LPQueue/885/index.asp?SessionId=444a7770-6aea-4935-a4c8-8086c356a5de&nat=0&cc=gb&cid=863170&lgid=362&a=8305&f=2338%7c34103 (87.248.211.177 - cds247.lon.llnw.net - Limelight Networks, LLNW-EU-2)
Or if you're using Opera, the URL it links you to, redirects you to;
register.freeze.com/Download/index.aspx?s=games&c=863168&SessionId=1679581c-2788-4b52-bc03-c2064fee86b0&fn=2334|34103 (207.250.236.107 - ip170.freeze.com - GamePoint Inc. TWTC-GAMEP3)
The other images, to the left and right of the "Click here to continue" button, are all located on MSN search results, so it's possible, if there was a worm, it came from one of those, but I couldn't find it.
Thursday 6 August 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment