Sep18
3:26 am (UTC-7)   |   by Loucif Kharouni (Threats Analyst)

We have discovered several fake blogs hosted on a popular and trusted blog publishing tool that have been inserted with a malicious IFrame to redirect users to a porn Web site. Here’s a screenshot of a fake blog:

Those responsible for this attack were able to redirect users to the porn Web site by inserting the following script in the fabricated accounts:

The entries in the blog do not make sense: they are just a series of words typed perhaps by the people behind this operation to fill the entry. They contain links to “Movies, Pictures, Videos” however. When clicked they redirect users to this porn site that promises free videos:

When users try to view any video, they are asked to download a codec (fake of course) to be able to watch it:

The codec supposedly could be downloaded from the URL http://ultimate-x-{BLOCKED}s.net/up/UltimateVideoCodec-71.exe. The said site is inaccessible, however, and further investigation reveals that hackers made some mistake here. The URL should be http://online-x-{BLOCKED}s.net/up/UltimateVideoCodec-71.exe.

Trend Micro detects the file UltimateVideoCodec-71.exe-1 as TROJ_DROPPER.BX. Upon execution, this Trojan drops the file Xml2u32h.dll, detected as TROJ_BHO.EZ. TROJ_BHO.EZ installs itself as a Browser Helper Object (BHO) on the affected system, which enables it to execute everytime the user opens an instance of their Internet browser.

We’ve seen over a thousand blogs of this type, which are believed to be created by the malicious users themselves just for this particular operation. Users may be lured easily into clicking links in blogs with legitimate or reputable domains and they may not consider what’s posted inside as being potentially dangerous to their systems. We blogged about a similar attack that happened last July to Bebo, another blogging and social networking site. The perpetrators also created bogus Bebo profiles to make entries more convincing.

Users are now protected from this attack by the Trend Micro Smart Protection Network. Other users however, are advised to be careful in clicking links and in downloading files even if these links are posted in legitimate blogs. As we see in this case, malicious authors now create entire blogs and use legitimate and known blog-hosting sites just to trick users.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, September 18th, 2008 at 3:26 am and is filed under Malicious Sites . You can leave a response, or trackback from your own site.



One Response to “Fake Blogs Lead To Fake Porn”

Trackbacks

  1. pixel8r (Ed Stafford)

Leave a Reply


MySpace Pages Rigged with Bad Script
Typo Leads to Malware


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice