Subscribe to RSS feeds


Jan10
by Paul Ferguson (Advanced Threats Researcher)

Following up on some new ZLOB domains and malware, I continue to be amazed at the efforts of cybercriminals to social engineer the Web, poison Web search engines, pollute news and blogging Web sites, register bogon domains, and obtain hosting in their ongoing efforts to reach their ultimate goal — to separate more and more unsuspecting users from their money.

My esteemed colleagues over at Sunbelt Software blogged earlier tonight about a new spam, SEO, and social engineering campaign to lure unsuspecting users to a bogus video website which tries to entice an unwitting user to download a piece of malware disguised as an ActiveX control, which purports to allow them to view some arbitrary video.

One of the things that stood out for me in the Sunbelt blog posting was an an image of the results of a Google search, which returned a hit for this topic (Barbara Moratek) on the popular news-rating Web site, Digg.com, as seen in the screen shot below.

digg_moratek-ivete.JPG

Click for larger image.

 

Following the “bouncing malware” breadcrumbs (as my colleague Ivan Macalintal likes to say) illustrates an extraordinarily complex set of redirects and an effort to mask the entanglements, which eventually lead to the landing Web site, and yet then again, it will “ask” the user to install the malware — in the guise of an ActiveX control.

tangled_web_zlob.JPG

Click for larger image.

The methodology of jumping from one host to another, and then to another, ad nauseam, is an old-school method to thwart efforts pinpoint the flow of criminal activity.

The last hop in the traffic redirection flow above asks the user to download a ZLOB binary disguised as an “ActiveX control” from yet another host located in The Ukraine.

All of this illustrates the ongoing level of sophistication that cybercriminals are achieving, and the lengths that they will go to to engineer a method to perpetrate their crimes.

And please, folks — don’t visit any of these IP addresses or Web sites — many of these are still real, live, and dangerous. We provide this information as a service — we want you to stay informed — but we don’t want you to put your security at risk.

We are actively monitoring these developments, blocking these domains, and adding protection for our customers as we discover these activities.

Let’s be careful out there!

Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Reasearch



This entry was posted on Thursday, January 10th, 2008 at 11:03 pm and is filed under Security . Responses are closed, but you can trackback from your own site.



One Response to “A Tangled Web…of Malware”

  1. Security Tips » Barbara Moratek Leads To Malware Says:
    January 11th, 2008 at 6:02 am

    [...] Trend Micro, Paul Ferguson showed how the criminals behind Barbara Moratek made an attempt to get a link to [...]


Out of the Factory, Into the USB
A Port-Hiding Rootkit


 
TrendWatch Hijack This Security Tips for Consumers
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
Glossary of Threat Terms

 
© Copyright 2008 Trend Micro Inc. All rights reserved. Legal Notice