More Blogspot Malware [UPDATED June 28]

TeMerc · **Posted:** Thu Dec 27, 2007 1:40 am

Anyone who's been reading this forum knows that I've been keeping an eye on Blogspot for malware since August. And before that even by about 3 weeks, PG wrote some up @ Spyware Guide.

I then followed up with write ups early September and again mid September and the latest being November.

Since then, I've been peeking in here and there and had not found anything in a malware nature, tho that's not to say there surely wasn't tons of splogs being documented by Chuck, it just meant no malware was being pushed.

Well after reading this over @ Sunbelt blog about fake codecs, nothing I was surprised to hear based on my previous outings I decided to take a hike thru Blogspot land to see what I could snag.

Well I can't say I was disappointed. As a matter of fact, they even made it easy for me to find the malware, once I noticed there was a pattern.

If you were to click on any Blogspot blog that a specific word in it, you got hit with some fun stuff. I'll not tell you the word to avoid anyone getting curious.

Oh and I'm not talking about fake codec here, where users get prompted to install something, using the ol' 'social engineering' trick, no sir, just by landing on any of these sites (over a dozen) you got dumped on the system a few files. The obvious ones were like these entries from a HJT log:

Quote:

2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll

O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe

O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe

O4 - Startup: infos.exe

O4 - Global Startup: aacdurtwvw.exe

O4 - Global Startup: aejevqistk.exe

O4 - Global Startup: alynzfepse.exe

O4 - Global Startup: aurrqkjeqt.exe

O4 - Global Startup: autos.exe

O4 - Global Startup: azwzvdbvmk.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - AppInit_DLLs: sol664.txt

Now the lines in 07 and 020 may have been from another malware run, I'll have to double check in the morning, but those others were dropped each time, all the ones which began with 'a'. I scanned all @ VT, but it seems someone else had found them at about the same time as I had, because almost each one had a scan date of 12-27.

Here are the few I snagged:

Quote:

File autos.exe received on 12.27.2007 08:23:31 (CET)
File size: 7680 bytes
MD5: 579e0795ce87238f79a8c7c0b5d5a2cb
SHA1: 27be31bdf6d240e145d67fe3bd823935f84b40b8

Result: 14/32 (43.75%)

AntiVir 7.6.0.46 2007.12.26 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.12.27 Possibly a new variant of W32/STZ_like!Generic
AVG 7.5.0.516 2007.12.26 Downloader.Small.60.B
BitDefender 7.2 2007.12.27 Trojan.Downloader.WinAntivirus.A
eSafe 7.0.15.0 2007.12.26 suspicious Trojan/Worm
eTrust-Vet 31.3.5406 2007.12.27 Win32/Wantvi!generic
F-Prot 4.4.2.54 2007.12.26 W32/STZ_like!Generic
Kaspersky 7.0.0.125 2007.12.27 Heur.Trojan.Generic
McAfee 5193 2007.12.26 New Malware.bc
Microsoft 1.3109 2007.12.27 Trojan:Win32/Wantvi.A
NOD32v2 2748 2007.12.27 Win32/Qhost.ZR
Sophos 4.24.0 2007.12.27 Mal/HckPk-A
VirusBuster 4.3.26:9 2007.12.26 Trojan.Renos.Gen!Pac.5
Webwasher-Gateway 6.6.2 2007.12.27 Trojan.Crypt.ULPM.Gen

=================

File atycewwqiz.exe received on 12.27.2007 08:22:45 (CET)
File size: 35328 bytes
MD5: 4d4b7ee59d8e7043e35c4417336d75dd
SHA1: c44cf7b2b7a87d1c4b4a20b2af32b45ad81c4d99

Result: 10/32 (31.25%)

AntiVir 7.6.0.46 2007.12.26 TR/Crypt.XPACK.Gen
BitDefender 7.2 2007.12.27 Trojan.Downloader.WinAntivirus.A
CAT-QuickHeal 9.00 2007.12.26 (Suspicious) - DNAScan
eSafe 7.0.15.0 2007.12.26 Suspicious File
eTrust-Vet 31.3.5406 2007.12.27 Win32/Odrtre.B
Kaspersky 7.0.0.125 2007.12.27 Trojan.Win32.Qhost.zs
Microsoft 1.3109 2007.12.27 TrojanDropper:Win32/Odrtre.B
NOD32v2 2748 2007.12.27 a variant of Win32/TrojanDownloader.Agent.NPQ
VirusBuster 4.3.26:9 2007.12.26 Trojan.Renos.Gen!Pac.5
Webwasher-Gateway 6.6.2 2007.12.27 Trojan.Crypt.XPACK.Gen

=============

File infos.exe received on 12.27.2007 08:24:44 (CET)
File size: 7680 bytes
MD5: 579e0795ce87238f79a8c7c0b5d5a2cb
SHA1: 27be31bdf6d240e145d67fe3bd823935f84b40b8

Result: 14/32 (43.75%)

AntiVir 7.6.0.46 2007.12.26 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.12.27 Possibly a new variant of W32/STZ_like!Generic
AVG 7.5.0.516 2007.12.26 Downloader.Small.60.B
BitDefender 7.2 2007.12.27 Trojan.Downloader.WinAntivirus.A
eSafe 7.0.15.0 2007.12.26 suspicious Trojan/Worm
eTrust-Vet 31.3.5406 2007.12.27 Win32/Wantvi!generic
F-Prot 4.4.2.54 2007.12.26 W32/STZ_like!Generic
Kaspersky 7.0.0.125 2007.12.27 Heur.Trojan.Generic
McAfee 5193 2007.12.26 New Malware.bc
Microsoft 1.3109 2007.12.27 Trojan:Win32/Wantvi.A
NOD32v2 2748 2007.12.27 Win32/Qhost.ZR
Sophos 4.24.0 2007.12.27 Mal/HckPk-A
VirusBuster 4.3.26:9 2007.12.26 Trojan.Renos.Gen!Pac.5
Webwasher-Gateway 6.6.2 2007.12.27 Trojan.Crypt.ULPM.Gen

And most all of the files which were already scanned, had similar results, not real bad, but not real good either.

I noticed that all the sites ran calls out to the same sites too, and a few, even went to our friends at Inhoster, over in the Ukraine. They are very well know malware\rogue hosting company. Very likely linked to the RBN

So be sure and stay away from the 'Next Blog' button, because these site are littered all thru the Blogspot world.

Tomorrow I'll do some more digging around to see what if anything has changed.

TeMerc · **Posted:** Thu Dec 27, 2007 7:14 pm

Did some more poking around today and there were not as many site littered about as last nite, but they were there.

I forgot to mention they also hijack the hosts file inserting the following:

Code:

168.200.3   ad.doubleclick.net
168.200.3   ad.fastclick.net
168.200.3   ads.fastclick.net
168.200.3   ar.atwola.com
168.200.3   atdmt.com
168.200.3   avp.ch
168.200.3   avp.com
168.200.3   avp.ru
168.200.3   awaps.net
168.200.3   banner.fastclick.net
168.200.3   banners.fastclick.net
168.200.3   ca.com
168.200.3   click.atdmt.com
168.200.3   clicks.atdmt.com
168.200.3   customer.symantec.com
168.200.3   dispatch.mcafee.com
168.200.3   download.mcafee.com
168.200.3   download.microsoft.com
168.200.3   downloads-us1.kaspersky-labs.com
168.200.3   downloads-us2.kaspersky-labs.com
168.200.3   downloads-us3.kaspersky-labs.com
168.200.3   downloads.microsoft.com
168.200.3   downloads1.kaspersky-labs.com
168.200.3   downloads2.kaspersky-labs.com
168.200.3   downloads3.kaspersky-labs.com
168.200.3   downloads4.kaspersky-labs.com
168.200.3   engine.awaps.net
168.200.3   f-secure.com
168.200.3   fastclick.net
168.200.3   ftp.avp.ch
168.200.3   ftp.downloads1.kaspersky-labs.com
168.200.3   ftp.downloads2.kaspersky-labs.com
168.200.3   ftp.downloads3.kaspersky-labs.com
168.200.3   ftp.f-secure.com
168.200.3   ftp.kasperskylab.ru
168.200.3   ftp.sophos.com
168.200.3   go.microsoft.com
168.200.3   ids.kaspersky-labs.com
168.200.3   kaspersky-labs.com
168.200.3   kaspersky.com
168.200.3   liveupdate.symantec.com
168.200.3   liveupdate.symantecliveupdate.com
168.200.3   mast.mcafee.com
168.200.3   mcafee.com
168.200.3   media.fastclick.net
168.200.3   microsoft.com
168.200.3   msdn.microsoft.com
168.200.3   my-etrust.com
168.200.3   nai.com
168.200.3   networkassociates.com
168.200.3   norton.com
168.200.3   office.microsoft.com
168.200.3   pandasoftware.com
168.200.3   phx.corporate-ir.net
168.200.3   rads.mcafee.com
168.200.3   secure.nai.com
168.200.3   securityresponse.symantec.com
168.200.3   service1.symantec.com
168.200.3   sophos.com
168.200.3   spd.atdmt.com
168.200.3   support.microsoft.com
168.200.3   symantec.com
168.200.3   trendmicro.com
168.200.3   update.symantec.com
168.200.3   updates.symantec.com
168.200.3   updates1.kaspersky-labs.com
168.200.3   updates2.kaspersky-labs.com
168.200.3   updates3.kaspersky-labs.com
168.200.3   updates4.kaspersky-labs.com
168.200.3   updates5.kaspersky-labs.com
168.200.3   us.mcafee.com
168.200.3   vil.nai.com
168.200.3   viruslist.com
168.200.3   viruslist.ru
168.200.3   virusscan.jotti.org
168.200.3   virustotal.com
168.200.3   windowsupdate.microsoft.com
168.200.3   www.avp.ch
168.200.3   www.avp.com
168.200.3   www.avp.ru
168.200.3   www.awaps.net
168.200.3   www.ca.com
168.200.3   www.f-secure.com
168.200.3   www.fastclick.net
168.200.3   www.grisoft.com
168.200.3   www.kaspersky-labs.com
168.200.3   www.kaspersky.com
168.200.3   www.kaspersky.ru
168.200.3   www.mcafee.com
168.200.3   www.microsoft.com
168.200.3   www.my-etrust.com
168.200.3   www.nai.com
168.200.3   www.networkassociates.com
168.200.3   www.pandasoftware.com
168.200.3   www.sophos.com
168.200.3   www.symantec.com
168.200.3   www.symantec.com 
168.200.3   www.trendmicro.com
168.200.3   www.viruslist.com
168.200.3   www.viruslist.ru
168.200.3   www.virustotal.com
168.200.3   www3.ca.com

Hmmm.... so once you're infected, they don't want you getting to update your av. :twisted:

Also as noted yesterday the 'target' name is the same, they even target kids cartoons!

I'll be checking Blogspot throughout the next few days to see if they make any changes.

TeMerc · **Posted:** Fri Dec 28, 2007 12:04 am

Adding more fuel to the Blogspot malware problem is Trend Labs Blog

Seems everyone is finding crap on blogspot now, maybe Google will finally fix it once and for all.

JeanInMontana · **Posted:** Fri Dec 28, 2007 12:23 pm

Google really needs to do something about this. They need to take responsibility for what is posted on the blogs they host. :evil:

TeMerc · **Posted:** Fri Dec 28, 2007 12:44 pm

I've posted to one of the 'back rooms', so lets see how fast Google acts.

JeanInMontana · **Posted:** Fri Dec 28, 2007 1:18 pm

TeMerc wrote:

I've posted to one of the 'back rooms', so lets see how fast Google acts.

Errr G has back rooms? Ya lost me.

TeMerc · **Posted:** Fri Dec 28, 2007 2:10 pm

JeanInMontana wrote:

TeMerc wrote:

I've posted to one of the 'back rooms', so lets see how fast Google acts.

Errr G has back rooms? Ya lost me.

People at 'that back room' have connections to Google. You know which one I mean.

TeMerc · **Posted:** Sun Dec 30, 2007 10:55 am

Well as of last nite and this morning, it seems the two 'keyword' BMG set of sites no longer spew forth any malware. They just link to pron and to each other.

I'm going thru the latest set of updated blogs to see if there are any new ones.

Here are a few sites which are primary 'contributors' if you will:
yboeragu.com
spelredeadread.com
pornuha.ws
inetlog.ru

TeMerc · **Posted:** Sun Dec 30, 2007 2:51 pm

Seems the these two yboeragu & spelredeadread are related and owned by the same person:

http://hphosts.mysteryfcm.co.uk/default ... ad.com%2F+

yberobul.net/ms06006.php 81.95.149.133 - Exploits Nintendo Inc. / Olkenka Polinovich / traff[*] shmid.com

yboeragu.com/in.php?adv=382 82.103.128.83 e82-103-128-83s.easyspeedy.com Exploits Nintendo Inc. / Olkenka Polinovich / traff[*]shmid.com

yboeragu.com/mfsa200550.php?adv=852 82.103.128.83 e82-103-128-83s.easyspeedy.com Exploits Nintendo Inc. / Olkenka Polinovich / traff[*]shmid.com

As well as this site:
yjytuv.net/adw_files/703/install.exe?adv=70 81.95.149.133 - Exploits Olkenka Polinovich / traff[*]shmid.com

yjytuv.net/in.php?adv=703 81.95.149.133 - Exploits Olkenka Polinovich / traff[*]shmid.com

All these share same IP & DNS server:
spelredeadread.com A 82.103.128.83
watgotcenteror.com A 82.103.128.83
ns1.watgotcenteror.com A 82.103.128.83
ns2.watgotcenteror.com A 82.103.128.83
yboeragu.com A 82.103.128.83
voovle.info A 82.103.128.83
yjytuv.net A 82.103.128.83

Rus Cert

TeMerc · **Posted:** Sun Dec 30, 2007 5:11 pm

From Google TOS\Content policy:

Quote:

SPAM, MALICIOUS CODES AND VIRUSES: We do not allow spamming or transmitting malware and viruses.

I forwarded this thread link to the good people at SANS and they entered an entry to thier diary but were of the opinion that Google could not police this, but I guess we'll have to await some sort of 'official' word.

Stay tuned to this thread for more.

Next stop...Stopbadware.org. Lets see what they have to say about this and lets hope they don't send me to some form page to submit each site one at a time.

I'm so totally baffled I can't see straight.

TeMerc · **Posted:** Sun Dec 30, 2007 11:38 pm

Well I've posted to StopBadware.org group.

TeMerc · **Posted:** Mon Dec 31, 2007 11:00 am

This has picked up some very supportive replies at the stopbadware thread. I'm surprised a couple of these guys actually come here to read stuff! rofl

MysteryFCM · **Posted:** Tue Jan 01, 2008 9:59 am

hehe nice one dude

TeMerc · **Posted:** Wed Jan 02, 2008 7:12 pm

I got a mention in an article by Dan Kaplan, over at SC Magazine. And while not really related to the video\Storm\codec thing, it's a start. I'm going to email him some more info and maybe we'll be able to get a full article about it. The bummer is that these guys turn the sites off and on so they surely will not have anything 'live' while it's in the news.
Google Blogspots redirecting to fake Bhutto assassination videos

January 02, 2008
Dan Kaplan

A number of Google Blogspot pages that promise video of the assassination of former Pakistani Prime Minister Benazir Bhutto remain active today, security researchers said.

Alex Eckelberry, president of anti-malware provider Sunbelt Software, said users searching Google for video of the assassination may click on what appear to be legitimate Blogspot pages but are redirected to sites pushing fake codecs.

If they click to install the codecs – said to be needed to watch the video – their PCs are infected with malware that will change DNS settings and hit users with pop-up ads to purchase fake anti-spyware products, Eckelberry told SCMagazineUS.com today.

"Blogspot has become a pretty good haven for these guys these days," said Eckelberry, who began spotting similar attacks several months ago. "These Blogger pages are supposedly well optimized for Google, and it's places (for attackers) to land, just like (Yahoo) GeoCities and other free hosting sites."

Quote:

Meanwhile, researcher Tom Mercado, who runs TeMerc Internet Countermeasures, told SCMagazineUS.com today that he recently noticed a much more alarming type of attack on Blogspot that can infect users without any interaction on their part.

In that case, Blogspot readers using the "Next Blog" feature, which randomly takes users to another blog, could find themselves on a malicious page that automatically installs malicious files onto their machines.

"It's just land on the site and, pow, get hit," Mercado said, adding that users whose PCs are fully patched and running updated anti-virus may be able avoid infection.

He said that around Christmas, he noticed several hundred of these blogs, which attempt to install bogus codec files.

"It's all about someone getting a certain amount of money for every install," Mercado said.

Despite Google claiming to shut down any hosted sites that violate its terms of service, security experts believe this style of attack may continue.

"Once they see they can get away with it, they're going to increase the number," Mercado said. "It can exponentially get really bad."

SCMagazine

MysteryFCM · **Posted:** Wed Jan 02, 2008 7:16 pm

Nice one

Last Son · **Joined:** Sun Jan 30, 2005 5:32 am **Posts:** 89

congrats on continuing to get the word out on these dude, I'm glad to see you getting a well deserved mention in some of the tech / news sites finally, too.

TeMerc · **Posted:** Thu Jan 03, 2008 9:33 am

paperghost wrote:

congrats on continuing to get the word out on these dude, I'm glad to see you getting a well deserved mention in some of the tech / news sites finally, too.

Thanks, we spoke about you briefly as well. Told him we usually banter about all kinds of fun stuff we have in common on IM.

TICTestBox · **Posted:** Sun Jan 06, 2008 3:06 am

Well tonite (Sat the 5th) I went cruisin for some Blogspot malware and got a bunch of sites that wanted to install some form of video related file.

They all wanted to install the same files which was nice. Also made it easy on time taken to scan these files, which you can see below.

Quote:

File VideoAccessCodecInstall.exe received on 01.05.2008 22:08:59 (CET)
File size: 112944 bytes
MD5: 0824eda722e3de57845e5efe8d569e9a
SHA1: e87d0c30263aad1e0289df9d6df24ffab06c398a

Result: 10/32 (31.25%)

AntiVir 7.6.0.46 2008.01.04 DR/Zlob.Gen
AVG 7.5.0.516 2008.01.05 Downloader.Zlob
CAT-QuickHeal 9.00 2008.01.05 TrojanDownloader.Zlob.gen
ClamAV 0.91.2 2008.01.05 Trojan.Dropper-2557
F-Secure 6.70.13030.0 2008.01.05 W32/Zlob.ARDM
Microsoft 1.3109 2008.01.05 TrojanDropper:Win32/Zlob.gen!A
Norman 5.80.02 2008.01.04 W32/Zlob.ARDM
Sophos 4.24.0 2008.01.05 Troj/Zlobar-Fam
TheHacker 6.2.9.181 2008.01.05 Trojan/Downloader.gen
Webwasher-Gateway 6.6.2 2008.01.04 Trojan.Dropper.Zlob.Gen

==========

File bklgvsf.dll received on 01.05.2008 22:18:22 (CET)
File size: 270336 bytes
MD5: 15d1fc0b3a1ed45cf59ab1ccc8c50c3b
SHA1: 8dd03b62525b7e322511412318ef08123f64f371

Result: 5/32 (15.63%)

AntiVir 7.6.0.46 2008.01.04 ADSPY/Agent.PB
Avast 4.7.1098.0 2008.01.05 Win32:Agent-LTS
Ikarus T3.1.1.15 2008.01.05 Virus.Win32.Agent.LTS
Microsoft 1.3109 2008.01.05 Adware:Win32/SmitFraud
Webwasher-Gateway 6.6.2 2008.01.04 Ad-Spyware.Agent.PB

============

File ensfolr.dll received on 01.05.2008 22:26:07 (CET)
File size: 204800 bytes
MD5: 098038807ee68c10cbf5b417442f6e45
SHA1: e0f6803c05167826b3ccb177ba96c57f5603eb1a

Result: 1/32 (3.13%)

Ikarus T3.1.1.15 2008.01.05 AdWare.NetAdware.CW

============

File ampkfst.dll received on 01.05.2008 22:36:38 (CET)
File size: 278528 bytes
MD5: b11c2efd52c59c1cc3349146e794d4ad
SHA1: 3524484b0e323a9a29ea3310ae240f906317465d

Result: 2/32 (6.25%)

Ikarus T3.1.1.15 2008.01.05 Virus.Win32.Agent.LTS
Microsoft 1.3109 2008.01.05 Adware:Win32/SmitFraud
================

File dxpvqlmqng.dll received on 01.05.2008 22:40:53 (CET)

File size: 311296 bytes
MD5: 712983c18312d02d0b00501f493c0d9c
SHA1: c5ac5deccc8351914e0d7ec94c050eed62bbd8e2

Result: 4/32 (12.5%)

AntiVir 7.6.0.46 2008.01.04 TR/Zlob.DCH
Ikarus T3.1.1.15 2008.01.05 Generic.NetAdware
Microsoft 1.3109 2008.01.05 Adware:Win32/SmitFraud
Webwasher-Gateway 6.6.2 2008.01.04 Trojan.Zlob.DCH

===============

File foxflpd.exe received on 01.05.2008 22:55:10 (CET)
File size: 90112 bytes
MD5: bd6f352239196a129ac0fa679deae0c3
SHA1: 422ef7eba79e3ef7de3724d6ab34a6f17d679a35

Result: 3/32 (9.38%)

CAT-QuickHeal 9.00 2008.01.05 AdWare.Vapsup.um (Not a Virus)
Ikarus T3.1.1.15 2008.01.05 not-a-virus:AdWare.Win32.Vapsup.tz
Microsoft 1.3109 2008.01.05 Adware:Win32/SmitFraud

And some HJT and RunScanner Info:

Code:

O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - 

C:\WINDOWS\dxpvqlmqng.dll
Item: 052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Description: dxpvqlmqng {5085333B-FD15-4754-A571-852F7077C5F2}
Version: 1, 0, 0, 1
Path: c:\windows\dxpvqlmqng.dll
MD5: c:\windows\dxpvqlmqng.dll
Productname: dxpvqlmqng
FileDescription: dxpvqlmqng
Registry path: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}


O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll


O21 - SSODL: ampkfst - {C8942271-0214-4AFB-9E89-457E6FB94256} - C:\WINDOWS\ampkfst.dll
Item: 060 

HKLM-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Description: ampkfst {C8942271-0214-4AFB-9E89-457E6FB94256}
Version: 1, 0, 0, 1
Path: c:\windows\ampkfst.dll
MD5: c:\windows\ampkfst.dll
Productname: ampkfst
FileDescription: ampkfst
Registry path: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Registry value: ampkfst


O21 - SSODL: bklgvsf - {1D73E470-FE4F-4C89-A219-285F995320A5} - C:\WINDOWS\bklgvsf.dll
Item: 060 

HKLM-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Description: bklgvsf.dll {1D73E470-FE4F-4C89-A219-285F995320A5}
Path: c:\windows\bklgvsf.dll
MD5: c:\windows\bklgvsf.dll
FileDescription: bklgvsf.dll
Registry path: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Registry value: bklgvsf

Some images of various things which transpired along the way.

Newish looking video player, which when clicked took me to mymetavids.com, which oddly enough, or not, is listed in hpHosts Online database along with 33 other sites and if you're a malware fighter\analyst\researcher lots of them look very familiar.

Then you'd typically get a screen such as this:

And once I got this:

Oh my, I need to install this file to watch the neat video! Yipeee!!

Next we get this:

And that IP is not listed .....yet. Steven I'm sure is watching.

Onwards we go with Process Explorer we can see some action:

Those are the files getting installed....and then deleted. That's supposed to make it so you can't get them. Sandboxie...gota love it.

That was typical way to social engineer your way onto someones machine, if you're a low-life scumbag.

Another way it happens is that you land on a site and get this:

OH NOES!! I need to download this scanner once it's done, so I can stay safe and secure. Ummmmmmmmm...........no thanks.

But maybe I should, look at the results:

Then if you hit the back button things would try to install too:

Here is a rundown on some of the sites invovled, tho SpyShredder was in every single one.

tablets-city.com
AdultFriendFinder.com
idsoa.info
sirset.com
adult-line-x.com
scanner.spyshredderscanner.com
xscanner.spyshredderscanner.com
crl.usertrust.com
klikme.cn
mtn129.googlepages.com
happinestdaily.googlepages.com
scanner.online-guard-adv.net
8porn.info
iscoolmovies.com
infonetty.com
dorcheg.info
crimeavip.ru
img.spy-shredder.com
hooyase.info
buynowbe.com

This was all from only 13 different blogs, using a list of recently updated blogs.

I've passed the info onto Stopbadware and hopefully they'll kill thse blogs as they've killed pretty much every other one I've submitted so far.

TeMerc · **Posted:** Sun Jan 06, 2008 9:12 am

Now that I've had some sleep(about 4-5 hours worth) I realized a couple of things which are a little bit different than some of my previous installs.

A couple of these video interfaces, when clicked brought me to Google Page Creator. This is no doubt a fairly new avenue of attack and one I'm sure we'll see more of.

Another thing which I ought to have mentioned was several of these blogs did require interaction to acquire the files. Tho as I stated and depicted previously, upon landing on a few I was immediately brought to one of the SpyShredder scan sites which used the old fake scan-fake results to lure users into downloading and even when you didn't actually accept would begin downloading anyways.

I'll be checking today for more of these sites and reporting them to StopBadware, who is hopefully forwarding them to Google for proper eradication.

I have Fiddler logs for any who would like to go over them. Files scans are in my previous post as everyone that I got hit with wanted to install the same batch of files.

TeMerc · **Posted:** Sun Jan 06, 2008 10:45 am

Here are a few of the blogs names I got hit at:

nbc5videoz.blogspot.com
ql1-ten.blogspot.com
1uih9-seo.blogspot.com
6bproduction.blogspot.com
fox12videoz.blogspot.com
lff-cool.blogspot.com
lastnewspostvideo.blogspot.com
foxsportsnetwork-lst.blogspot.com
tnp-best.blogspot.com
sportstickets-cjy.blogspot.com
crisiscnnhot.blogspot.com

You can see two patterns here, first the obvious 'news' angle and the second being the one word + 3 letters and altho not listed here, some variation on that.

The news ones were actually named as the url displays, fox12newsvideoz, crisscnnhot and so forth. Once spotted easy to find off the list of updated blogs.

The others are also pretty easy, tho with the variation take a bit more time.

TeMerc · **Posted:** Sun Jan 06, 2008 3:48 pm

Found this reference at another blog:

Quote:

Referrer Spammer

I also got both of those in my Fiddler logs.

Too bad he does not have comments enabled or I'd have dropped him a line.

TeMerc · **Posted:** Mon Jan 07, 2008 7:04 pm

And yet another reference to these domains:

Quote:

Take this fake facebook login subdomain serving malware for instance - facebook-login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is the adware in this case - Adware:Win32/SmitFraud.

DDanchev Blog

TeMerc · **Posted:** Fri Jan 25, 2008 11:19 pm

Just noticed a write up over at Dark Reading, regarding Blogspot malware. I dropped a comment:

TeMerc · **Posted:** Fri Jan 25, 2008 11:23 pm

And this over at Computer World, tho not talking so much about malware, but spam. Geez, these guys should really spend time to see how bad it is. However, Google is absolutely doing something about it.

I'll try and post something this weekend about what they've done.

Spammers cloak scams by redirecting through Google services

By Gregg Keizer
January 25, 2008 (Computerworld) Spammers are using thousands of Google accounts to camouflage their scams from antispam filters, a security researcher said today. He dubbed the practice "Spam 2.0."

Rather than inserting links to the actual pages touting their products, some junk mailers are sticking in links from domains registered with Google Page Creator -- the search engine's free Web page maker -- or accounts with Google's Blogger.com service, said Dan Hubbard, vice president of security research at Websense Inc.

nwz

Computer World

TeMerc · **Posted:** Sat Mar 08, 2008 10:39 am

I was poking around the old threads and came upon this, from 3 years ago:
http://www.temerc.com/forums/viewtopic.php?f=10&t=120

Quote:

From Ben Edelman:

Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I've tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google's brand and siphoning advertising revenues that would otherwise accrue to Google.

Quote:

Yet Google is far from blameless in the spyware battle. Of particular concern: Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software. At one such blog, users are offered a misleading popup that falsely claims "You have an out of date browser which can cause you to get infected with viruses, spam, and spyware. To prevent this, press YES now." If a user declines, the user is shown a second popup instructing "Click Yes to upgrade," followed by the first popup again. If the user declines a second time, a further popup claims "We strongly recommend you upgrade ... Click YES Now!" See screenshots below.

Full Read @Ben Edelman

Quote:

From eWeek:
By Matt Hicks

Weblogs are spreading more than opinions and observations across the Internet. Some are beginning to propagate malicious software downloads that can alter browser settings, track users and serve pop-up ads.

Dozens of blogs hosted by Google Inc.'s Blogger service can install programs that are widely considered to be spyware and adware onto visitors' computers, warn users and spyware researchers. In many cases, users are discovering the offending sites as they browse among blogs through Blogger's navigation bar.

The offending blogs typically prompt visitors to accept downloads through misleading pop-up windows, said Ben Edelman, a vocal spyware critic and Harvard University researcher. While a user typically must accept the download before the software installs, the prompts often attempt to trick users by disguising the download as a necessary Windows or Internet Explorer upgrade.

Full Read@eWeek

Quote:

Published: February 23, 2005, 2:46 PM PST
By Stefanie Olsen
Staff Writer, CNET News.com

Hackers are using blogs to infect computers with spyware, exposing serious security flaws in self-publishing tools used by millions of people on the Web.

The problem involves the use of JavaScript and ActiveX, two common methods used to launch programs on a Web page. Security experts said malicious programmers can use JavaScript and ActiveX to automatically deliver spyware from a blog to people who visit the site with a vulnerable Web browser.

Spyware tools also have been hidden inside JavaScript programs that are offered freely on the Web for bloggers to enhance their sites with features such as music. As a result, bloggers who use infected tools could unwittingly turn their sites into a delivery platform for spyware.

"It is one more link in the commerce chain of illicit adware," said Richard Stiennon, chief of technology at Webroot Software, a maker of anti-spyware technology.

"If auto-generated Web sites such as blog sites allow the inclusion of ActiveX and JavaScript, they are a great place for spyware writers to try to induce the blogger or Web page owner into including some active code," he said.

Full Read@ C|NET

TeMerc · **Posted:** Sat Jun 28, 2008 10:13 am

The last couple of days blogspot.com has yielded several 1-new 2-rogue 3-domains and I even 4-found a new rogue. 5- I'm good YHOO

You can guess where I'll be hanging out the rest of the weekend.

MysteryFCM · **Posted:** Sun Jun 29, 2008 12:20 pm

hehe nice one dude

More Blogspot Malware [UPDATED June 28]

Who is online

Who is online

Who is online
	In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes) Most users ever online was 282 on Tue Sep 25, 2012 11:30 am Users browsing this forum: No registered users and 1 guest