Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
23 mai 2011 1 23 /05 /mai /2011 00:32

I was just looking for Google images of an american actor of a serie. Then my browser was trapped, as one of the Google Image results lead it to:

http://www.google.fr/imgres?imgurl=http://www.celebritylatest.com/wp-content/uploads/premieres/marg_helgenberger_mr_brooks_premiere_3.jpg&imgrefurl=http://www.mainstream.fr/img/-%%%%%-dating.html&usg=__grAZHQrnfxcFdhmvNprdLlOKD70=&h=808&w=1000&sz=70&hl=fr&start=17&sig2=jTOL3-NJ0X06PCeKxHJQ0Q&zoom=1&tbnid=SBAcGCvMS_01OM:&tbnh=120&tbnw=149&ei=KJXZTYXXMoub-gbgwuHGAQ&prev=/search%3Fq%3D

and celebritylatest.com has most likely been hacked. Therefore, my browser went to: http://bervert. osa.pl/2.php 

 

I came to that link:

http://www1.smartyauscanner .co.cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSpsng3dLXkO3lxdxz3dPQ6Nfih9jWoKfAlM7ip6ydj6tpqpuSqaenkq2Z1tXP4trlp6WR2OKasKWYpZrt1eGwl5Keo5mjnKXQl7Jc5%2BCeo6epl6ajlpOjpovW2eHMyudz6uTYpaLswuvYxcna0srYz%2BLexqeipeWP1%2BmfyeTbyp7n1c7T2Zrdxt9z2%2BHV4pmsopqlqYagtMfX3OrQ0%2B1k4uDCoOTlhqe5lY%2Fe1tWW

There is first a nice warning, telling me my computer was at risk of being infected by a malware...

 MSG_malware_smartyauscanner_230511.JPG

Then, whatever I do, my browser will be send to this webpage:

AV-scan_malware_smartyauscanner_230511.JPG

 

There is also another URL that does the same:

http://www1.powervorsoft .co.cc/j48zmy?1rdgeik=Vd%2FN1KLSzNjS3Ivn39OvpqGemqHbyKSYj8zS0emiwsm2mN%2Fio6VhqIrW2Kbi5qadx9varNTSss7moN%2FJjdDY2NvhtMfs69Tq2t%2BM15SvqrmL0tutp6mTpKmmoKSmmaJiqora2crf5eK0i%2Bnf06%2BrppmapebQpJmam6WjqJej26WrmePZsWKllJ2WmZ%2Bioq6L1uXc09zdo%2Buo6ZeV2Mrh1dHf0dbb1dfh4suinaTclcrekejg28rTs%2BLl3NjJ3KKY1szLptPk4%2BeKpbeUpLmUmLqT19bdytvfnt7qxqDm25eltZiiodrUiw%3D%3D

 

Now, obviously, if I click on the "remove all" button (which I do NOT recommend you to do), an exefile shows up as a download... how interesting!

 

Here is the real URL of the website hosting the file:

http://www2.save-mastermme .byinter.net/qjsh106_328.php?kan9=j87XprDK182Q0ofo3cmvoJ%2BdkdHXnbCUnMaPz9OwxLi5k9nYqJKeb5nQ6aKk45iZ1s7Wqs%2FErsngqODGnNCc2szlscfs4tLd0tGUnNaevLdT1tGwrJegn6CcmZKlbKGSroug4cLn6divk%2BTOz56mcKaH6tmZqpWkpJqmnp%2BW0JenX%2BfUs5ZgnZekpJmkoKSLz9DbmtzPs9yk5JSh58bo0s%2FN18XTn9jP6cpb2ZProsrnk%2BXWz8bPdubU386Q1dKZ5srYqtXZ39GTbLSGqKtSn6fV2dfo0t%2FZmdDhmqHR4opfs5Oh5M3ik%2BDazaTbnbDU29ORs8rf2Yk%3D

 

What does VT says for this sample, well... only 10 out of 43 engines do detect it :(  and Kaspersky Security Network did not help.

http://www.virustotal.com/file-scan/report.html?id=e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0-1306104047

Antivirus Version Last update Result
AhnLab-V3 2011.05.23.00 2011.05.22 -
AntiVir 7.11.8.93 2011.05.22 TR/Dropper.Gen2
Antiy-AVL 2.0.3.7 2011.05.22 -
Avast 4.8.1351.0 2011.05.22 Win32:Delf-PIK
Avast5 5.0.677.0 2011.05.22 Win32:Delf-PIK
AVG 10.0.0.1190 2011.05.22 -
BitDefender 7.2 2011.05.22 -
CAT-QuickHeal 11.00 2011.05.22 -
ClamAV 0.97.0.0 2011.05.22 -
Commtouch 5.3.2.6 2011.05.22 -
Comodo 8797 2011.05.22 -
DrWeb 5.0.2.03300 2011.05.23 -
Emsisoft 5.1.0.5 2011.05.22 Trojan-Dropper.Gen2!IK
eSafe 7.0.17.0 2011.05.22 -
eTrust-Vet 36.1.8339 2011.05.20 -
F-Prot 4.6.2.117 2011.05.22 -
F-Secure 9.0.16440.0 2011.05.22 Rogue:W32/FakeAv.BI
Fortinet 4.2.257.0 2011.05.22 W32/Injector.fam!tr
GData 22 2011.05.23 Win32:Delf-PIK
Ikarus T3.1.1.104.0 2011.05.22 Trojan-Dropper.Gen2
Jiangmin 13.0.900 2011.05.22 -
K7AntiVirus 9.103.4693 2011.05.20 -
Kaspersky 9.0.0.837 2011.05.22 -
McAfee 5.400.0.1158 2011.05.23 -
McAfee-GW-Edition 2010.1D 2011.05.22 -
Microsoft 1.6903 2011.05.22 -
NOD32 6142 2011.05.22 Win32/TrojanDownloader.FakeAlert.BHH
Norman 6.07.07 2011.05.22 -
nProtect 2011-05-22.01 2011.05.22 -
Panda 10.0.3.5 2011.05.22 Suspicious file
PCTools 7.0.3.5 2011.05.19 -
Prevx 3.0 2011.05.23 -
Rising 23.58.06.03 2011.05.22 -
Sophos 4.65.0 2011.05.22 -
SUPERAntiSpyware 4.40.0.1006 2011.05.23 -
Symantec 20111.1.0.186 2011.05.23 -
TheHacker 6.7.0.1.202 2011.05.20 -
TrendMicro 9.200.0.1012 2011.05.22 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.23 -
VBA32 3.12.16.0 2011.05.20 -
VIPRE 9359 2011.05.22 -
ViRobot 2011.5.21.4472 2011.05.22 -
VirusBuster 13.6.367.0 2011.05.22 -
MD5: 6075aad44942356f46c5f33be00f7726
SHA1: 905329745352f85fd20901491ea9aacdacc790d0
SHA256: e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0
File size: 302080 bytes
Scan date: 2011-05-22 22:40:47 (UTC)

 

More to come (my cat reminds me time's up :) )

 

 

Update 1 (24 hours later):

Chromium does alert while trying to access the URL:

chromium_alert_url_240511.JPG

 

Update 2 (48 hours later):

Only 2 URL scanners do detect the URL, according to VT:

http://www.virustotal.com/url-scan/report.html?id=8a27b11a8ec194015b0bd305ca94b5b9-1306353987

URL Analysis tool Result
Avira Clean site
BitDefender Malware site
Dr.Web Error
Firefox Clean site
G-Data Malware site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Error
Phishtank Clean site
TrendMicro Clean site
Websense ThreatSeeker Clean site
Wepawet Unrated site
Normalized URL: http://www1.smartyauscanner.co. cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSps
URL MD5: 8a27b11a8ec194015b0bd305ca94b5b9

 

And while browsing my disk drive, Kaspersky antivirus did pop up a warning regardng the file that had been downloaded after the "fake antivirus scan":

KAV_detect_260511.jpg

 

KAV did not alert by itself, I had to access the folder where the file formerly undetected is.

This proves again it is strongly recommended to let the antivirus software do a full system scan, on a regular basis (at least, very week, or more often if you have any doubt).

 

 

Partager cet article

Repost0

commentaires