Following up on some new ZLOB domains and malware, I continue to be amazed at the efforts of cybercriminals to social engineer the Web, poison Web search engines, pollute news and blogging Web sites, register bogon domains, and obtain hosting in their ongoing efforts to reach their ultimate goal — to separate more and more unsuspecting users from their money.
My esteemed colleagues over at Sunbelt Software blogged earlier tonight about a new spam, SEO, and social engineering campaign to lure unsuspecting users to a bogus video website which tries to entice an unwitting user to download a piece of malware disguised as an ActiveX control, which purports to allow them to view some arbitrary video.
One of the things that stood out for me in the Sunbelt blog posting was an an image of the results of a Google search, which returned a hit for this topic (Barbara Moratek) on the popular news-rating Web site, Digg.com, as seen in the screen shot below.
Click for larger image.
Following the “bouncing malware” breadcrumbs (as my colleague Ivan Macalintal likes to say) illustrates an extraordinarily complex set of redirects and an effort to mask the entanglements, which eventually lead to the landing Web site, and yet then again, it will “ask” the user to install the malware — in the guise of an ActiveX control.
Click for larger image.
The methodology of jumping from one host to another, and then to another, ad nauseam, is an old-school method to thwart efforts pinpoint the flow of criminal activity.
The last hop in the traffic redirection flow above asks the user to download a ZLOB binary disguised as an “ActiveX control” from yet another host located in The Ukraine.
All of this illustrates the ongoing level of sophistication that cybercriminals are achieving, and the lengths that they will go to to engineer a method to perpetrate their crimes.
And please, folks — don’t visit any of these IP addresses or Web sites — many of these are still real, live, and dangerous. We provide this information as a service — we want you to stay informed — but we don’t want you to put your security at risk.
We are actively monitoring these developments, blocking these domains, and adding protection for our customers as we discover these activities.
Let’s be careful out there!
Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Reasearch