Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    We discovered more holiday mischief while further digging into fake codecs, which Sunbelt most recently blogged about.

    Poisonous Blogs

    As discovered by Sunbelt, certain Google queries may lead you to certain blog sites that require the download of a “codec” that is actually a variant of the ZLOB malware.

    These blogs seem to be recently created; entries were all posted just this December.

    Blog titles revolve around topics related to Christmas such as Santa Claus and Christmas movies, but the scope is also extended to Christmas-related activities, such as cooking (recipes of Christmas dinner?), road conditions (traveling to spend the holidays with in-laws, relatives, or friends?), and gadgets (as gift items?).

    Some topics outside the holidays revolve around sports, celebrities, and digital media.

    Blog titles can be as broad as “wheres santa” or as specific as “is walmart open on Christmas day.”

    These blog entry topics are obviously chosen to suit specific searches that Internet users the world over are making these days.

    In order to increase their search engine result ranking (SEO poisoning), the blog entries’ bodies are composed of sentences containing the search keywords/blog entry title.

    These sentences seem to be sourced from various sites and it is highly possible that the perpetrators used Web scrapers to fill the contents.

    Screenshot of SEO poisoned blog

    As of this writing, there are probably thousands of blog sites that use this modus operandi. Just to give you an idea on how large this might be, here are some of the sites we discovered (emphasis ours):

    • f-video(dot)blogspot
    • f-videoa(dot)blogspot
    • f-videob(dot)blogspot
    • f-videoc(dot)blogspot

    up to…

    • f-videoz(dot)blogspot

    and…

    • tv-videoa(dot)blogspot
    • tv-videob(dot)blogspot
    • tv-videoc(dot)blogspot

    up to…

    • tv-videoz(dot)blogspot

    The middle-men

    No matter how numerous the blog sites involved, they all point to any of these domains when the user clicks on the play button: siski.cn, obebos.cn, somemisc.info, and video.googl.name.Here are the pages the user will encounter when redirected to any of the four sites:

    OBEBOS.CN and SISKI.CN

    OBEBOS.CN and SISKI.CN

    SOMEMISC.INFO

    SOMEMISC.INFO

    VIDEO.GOOGL.NAME

    VIDEO.GOOGL.NAME

    Of the four, video.googl.name is the most interesting because it pretends to be a video repository site (notice the search box on the top right corner of the page).

    The amazing thing about video.googl.name is it contains all the videos you’ll ever want! When using the search feature, the site will always return a result, that will, of course, require you to download a “codec” to successfully play.

    Messing around with the site, an absolutely absurd search for “TARANTELLABEERMANIA PARTYGATECRASHER” will incredibly give this result. Beat that!

    Finally, the “codec”!

    ” TARANTELLABEERMANIA PARTYGATECRASHER”

    The actual download of the “codec” will only happen should the user decide to click the Continue button.

    Both obebos.cn and siski.cn will point the user to shockbabetv(dot)com to download the ZLOB Trojan, while somemisc.info and video.googl.name will download the ZLOB Trojan from 82(dot)103(dot)137(dot)14.

    Shockbabetv(dot)com already has a history of hosting these Trojan malware while 82(dot)103(dot)137(dot)14 is somewhat new, as we’ve seen this only this December.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice