Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as Websense discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir.” These sites attempt to infect users who want to know more about the unfortunate incident.

TrendLabs researchers found that one of the sites in question indeed has an embedded malicious JavaScript redirect, which Trend Micro detects as JS_AGENT.AEVE.

The malicious script downloads a Trojan (already detected TROJ_SMALL.LDZ), which in turn downloads more malicious files, namely WORM_HITAPOP.O and TROJ_AGENT.AFFR.

A graphical representation of this routine is as follows:

Upon further investigation, however, TrendLabs found that there is a host of other news sites and blogs taking advantage of this news.

Moreover, the malicious JavaScript is apparently not exclusive to news sites — it is also present in other Web sites with a broad scope of topics and interests. There are many other sites that have been possibly compromised (or that include the malicious JavaScript), including Autoworld, Vino, Dogpile, MSN, BlogSpot (yes, again), etc.

According to Trend Micro Advanced Threats Researcher Paul Ferguson, searching for this same malicious JavaScript code URL (the malicious script) yields 4,240 results. If the search is narrowed down to also include “benazir,” there would be only 103 results.

All related malicious URLs are already blocked by the Content Security Team and are thus inaccessible to Trend Micro customers.

We discovered more holiday mischief while further digging into fake codecs, which Sunbelt most recently blogged about.

Poisonous Blogs

As discovered by Sunbelt, certain Google queries may lead you to certain blog sites that require the download of a “codec” that is actually a variant of the ZLOB malware.

These blogs seem to be recently created; entries were all posted just this December.

Blog titles revolve around topics related to Christmas such as Santa Claus and Christmas movies, but the scope is also extended to Christmas-related activities, such as cooking (recipes of Christmas dinner?), road conditions (traveling to spend the holidays with in-laws, relatives, or friends?), and gadgets (as gift items?).

Some topics outside the holidays revolve around sports, celebrities, and digital media.

Blog titles can be as broad as “wheres santa” or as specific as “is walmart open on Christmas day.”

These blog entry topics are obviously chosen to suit specific searches that Internet users the world over are making these days.

In order to increase their search engine result ranking (SEO poisoning), the blog entries’ bodies are composed of sentences containing the search keywords/blog entry title.

These sentences seem to be sourced from various sites and it is highly possible that the perpetrators used Web scrapers to fill the contents.

As of this writing, there are probably thousands of blog sites that use this modus operandi. Just to give you an idea on how large this might be, here are some of the sites we discovered (emphasis ours):

• f-video(dot)blogspot
• f-videoa(dot)blogspot
• f-videob(dot)blogspot
• f-videoc(dot)blogspot

up to…

• f-videoz(dot)blogspot

and…

• tv-videoa(dot)blogspot
• tv-videob(dot)blogspot
• tv-videoc(dot)blogspot

up to…

• tv-videoz(dot)blogspot

The middle-men

No matter how numerous the blog sites involved, they all point to any of these domains when the user clicks on the play button: siski.cn, obebos.cn, somemisc.info, and video.googl.name.Here are the pages the user will encounter when redirected to any of the four sites:

OBEBOS.CN and SISKI.CN

SOMEMISC.INFO

VIDEO.GOOGL.NAME

Of the four, video.googl.name is the most interesting because it pretends to be a video repository site (notice the search box on the top right corner of the page).

The amazing thing about video.googl.name is it contains all the videos you’ll ever want! When using the search feature, the site will always return a result, that will, of course, require you to download a “codec” to successfully play.

Messing around with the site, an absolutely absurd search for “TARANTELLABEERMANIA PARTYGATECRASHER” will incredibly give this result. Beat that!

Finally, the “codec”!

The actual download of the “codec” will only happen should the user decide to click the Continue button.

Both obebos.cn and siski.cn will point the user to shockbabetv(dot)com to download the ZLOB Trojan, while somemisc.info and video.googl.name will download the ZLOB Trojan from 82(dot)103(dot)137(dot)14.

Shockbabetv(dot)com already has a history of hosting these Trojan malware while 82(dot)103(dot)137(dot)14 is somewhat new, as we’ve seen this only this December.

Seeing how this is my first post to the Trend Micro malware blog, it is with some regret that it involves a renewed, year-end effort to increase the size of perhaps the most prolific botnet on the planet.

There appears to be two separate ongoing issues with malicious content and Blogger, the free Google blogging service.

The first one, which has been ongoing, but seemingly renewed with a vengeance, is the malicious nature of “fake” video which requires the user to install a new codec, and in turn, infects them with a ZLOB Trojan.

My colleagues over at Sunbelt Software blogged about this yesterday here.

However, in the past 24 hours, there seems to be hundreds of blogs which have appeared that now have singular links to a set of fast-flux servers that infects the user with the Storm Worm (a.k.a. NuWar — Trend Micro detects this as WORM_NUCRP.GEN). These “blogs” have nothing more than a reference to a “…Wishing You a Happy New Year…” or something similar, and a link to one of the server names which will infect the user with the Storm Worm.

Some of the “blogs” appear to be legitimate, some don’t — it’s hard to say. It’s also difficult to determine whether these are older blogs that haven’t been updated in a while (and somehow unauthorized access was gained to them), or perhaps bad guys just created a bunch of bogus blogs and planted this stuff, or what.

In any event, if you see any links like the ones in the partial screenshot above, don’t click on them.

And take a quick second or two to report them to Google as malicious.

Let’s have a safe & Happy New Year out there!

- Paul “Fergie” Ferguson, Advanced Threats Research