Early last week we alerted a government agency about one of the pages in their site that appears to have been injected with malicious frames. The San Bernardino County site’s probation page was, during that time, carrying a frame that directs users to a known disease vector under the domain videosdivx(dot)net. The target URL bear the strings “KATRINA+HALILI+NUDE” which suggests that videos or pictures of the Filipino actress may be viewed from the URL. Halili is currently involved in a much talked about sex video scandal proliferating in the Philippines.

While the site is now clean, Threat Analyst Joseph Pacamarra found another attack capitalizing on the same sex video scandal, this time using the Ask George website, the state-wide information portal of Washington DC in the US. Accessing the said page, which had been injected with a script containing the words “katrina+halili+sexy+pic,” redirects to a site under a certain hot-unlikely-tube(dot)com domain.

Clicking on the black screen, the user is informed that s/he needs to download a codec to be able to watch the video. But instead of a codec, the user downloads malware: TROJ_DLOAD.TID and its payload, TROJ_COGNAC.J.

TROJ_COGNAC.J is saved as b.exe. It modifies the system registry to make sure it runs at every startup. It assists TROJ_DLOAD.TID in downloading files named qwerce.gif and a.exe from different URLs. As of this writing, the .gif file is non-malicious, and the URL that downloads a.exe is not accessible. While this means little danger for current victims of these attacks, the actual contents of the URLs may actually change any time to exhibit more dangerous side-effects.

The affected pages from the said site appear to have been modified last May 30, early morning US time. (Updated June 2, 22:40 PM PST: We have verified that the affected site is now clean as of this writing. Website administrators are advised to conduct penetration testing for their sites especially for high-traffic and high-interactivity ones.)

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We have recently found a website that purportedly offers cracks for numerous applications, but in reality serves malicious files to its unknowing users.

The website, hxxp://{BLOCKED}ck.com, is allegedly owned by an organization called China.United Telecom. Corp. The said website supposedly offers a wide collection of cracks for different applications. However, attempting to download any of these files will always lead to the same page (Figure 2.)

Clicking the Download button downloads a .ZIP file into the user’s system. The .ZIP file contains two files, both of which are malicious:

Trend Micro detects the files as TROJ_DLOADER.ZTN. TROJ_DLOADER.ZTN downloads TROJ_AGENT.INC and TROJ_DLOADR.AOP which further connects to URLs to download more malicious files.

The .ZIP file is actually hosted on another domain, hxxp://{BLOCKED}-in.in.

Accessing the top domain where the .ZIP file is hosted leads to a landing page informing the user that the website is already suspended for violation of terms of service. However, it seems that directly linking to the file, regardless of the alleged suspension, ensures a successful download of any file hosted on the site.

Apparently, the suspension did not stop cybercriminals from using the website’s directory as a malware repository for other attacks. Either that, or this might only be a guise used by criminals to hide the website’s real purpose. The Smart Protection Network however, stops this threat from affecting users’ systems through blocking related malicious URLs, and detecting malicious files.