Spyware from World’s Largest Podcast Directory

February 28th, 2008 by Roderick Ordoñez (Technical Communications)

A site dubbing itself as the world’s largest podcast directory has been compromised! Even Google cautions about visiting the site, warning the user that it “may harm your computer.”

The site, hxxp://www.pod-planet.com, seemingly contains a redirector string, such that a visit to the site’s main page (hxxp://www.pod-planet.com/index.asp) will automatically lead users to http://www.{BLOCKED}e8.com/app/helptop.do, which in turn downloads a malicious file from http://www.{BLOCKED}e8.com/app/wm.exe. Trend Micro detects the downloaded file as TSPY_WOWAR.AG.

Once again playing culprit to this series of redirections is injected code, which has been obviously obfuscated to deter possible analysis. Obfuscation — normally done to protect direct copying of personal code — may actually prove detrimental to a malware (spyware) author in this case, as it may be proof enough that a chunk of illegible characters is present in a fully legitimate site.

Diligence is required of any Webmaster, and indeed much of it is needed in this robust era of Web threats. Such is truly applicable if one plans to call itself as the “largest podcast directory” on the Net, as malware writers are all too eager — and fully capable — to transform this “largest directory” to serve heapings of malicious intent.