This is the first time that I've seen a real newspaper used to feed malware-oriented news stories to Google News.
A search for News stories where the source was "chipley_bugle" starts out with normal stories for a small town paper, such as:
BBB reports great turnout
and
Chipola Little Indians program for grades 1-8
It falls apart pretty quickly after that. The next several hundred entries, all posted about 18 hours ago, are for "news stories" with pornographic names of all varieties, and incoherent news stories, such as:
www.privatevoyeur.com
Chipley Bugle - 18 hours ago
At this top benzi knows how to progress hr the ravaged significat and female-to-female time she exists in age to have an boyfriend.
or
www.egotastic.com
Chipley Bugle - 18 hours ago
Naked inmates must be reflected websites, critized producers , and began www.egotastic.com. Janice makes him a late law, flossing him ...
You can verify this behavior by going to Google News and searching for "source:chipley_bugle", although I would recommend not following any of the links!
Many of the "news stories", such as the one above, use the names of real porn websites. If the website is followed, it displays a webpage such as this one, which appears from the URL to actually be on the Chipley Bugle website!
The graphics are actually being called by the Chipley Bugle's website from "imageshack.us", but the webpage is being loaded by what looks to be some content injected into the newspapers content-management system.
A "real" news story for the Chipley Bugle uses a URL like this one:
http://www.chipleybugle.com/index.php?option=com_content&view=article&id=2464:fwc-fills-top-law-enforcement-position&catid=3:local-news&Itemid=23
All of the fake news stories that lead to porn sites use URLs like this one:
http://chipleybugle.com/graduation2009/sponsors/?option=com_content&view=article&id=2415:breast-cancer-awareness-symposium&catid=10:events&Itemid=98
Regardless of whether you say "Enter" or "Exit", the web page forwards thevisitor away from the newspaper site to very hard core porn site calling itself "PornTube". All of the images there lead to the following malware, by claiming a new Adobe Player is needed to view the movie:
The malware has these characteristics:
File name: adobeflashplayerv10.0.32.18.exe
File size: 17920 bytes
MD5 : 5f49907a0e20b4ddebc6c31bde9eb6f1
Its currently only detected by 8 of 41 anti-virus products at VirusTotal, however several anti-virus products will still protect from this type of attack by blocking the malicious website on which the malware is hosted:
davaidavai.cn
which is hosted in the Ukraine on the IP address 80.91.176.190.
This IP address is well-known as a malware infection site, hosting such domains as:
kon4a.org
allsearchweb.org
turbosoftware.org
tubeololo.org
trailerfobia.cn
videopublicclub.cn
xratedtube.cn
xvideostube.cn
go-xtube.cn
hugextube.cn
xmoviesarchive.cn
pumpingstorm.cn
prodaemdeshevo.cn
showallwebs.cn
exclusiveprices.cn
weblmovies.cn
go-xmovies.cn
klikaemnavidos.cn
archieprodaet.cn
ourbestsearch.info
allvideoz.info
again, avoid these webpages as they all lead to malware!
The newest web domain was created toay by a user using the email:
scaryscream@gmail.com
The registrar was one frequented by Ukrainian criminals regularly, the Chinese registrar: 广东时代互联科技有限公司 (also known as "now.cn").
Other in the group used other emails and registrars, such as:
ricm512@yahoo.com who used OnlineNIC
or
exshit@yandex.ru who used Directi Internet Solutions
or
win32parit.b@gmail.com who also used 广东时代互联科技有限公司
0 comments:
Post a Comment