Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
9 mars 2010 2 09 /03 /mars /2010 22:12
Years ago, when I started to study viral threats, I discovered Zango.

Zango used viral technologies to spread and remain resident on compromised computers. I won't give a new talk about the past Zango, search engines will on their own if you wanna try. Just a few examples:
http://www.spyany.com/program/article_adw_rm_Zango.html
http://www.virusbtn.com/news/virus_news/2006/11_21.xml
I was completely laughing out loud after I had read that: http://www.generation-nt.com/zango-logiciel-anti-espion-pc-tools-adware-spyware-actualite-41072.html (in French, sorry ;)


This time, one of the email addresses I use as 'honeypots' received a new email pretending to give me the opportuniy to check if some (former) MSN contacts had blocked me.
Well, this is quite very known: at least, nobody knows what they guys will do with your MSN credentials after the "test" :
- ID spoofing?
- social engineering?
- online purchase fraud (part of)?

Anyway. I however clicked on the link, to see if there was any malicious file I could analyse.

Here is the URL:
http://www.kiblok.net/

kiblock.net_accueil_080310.JPG

First of all, if you just click on "connexion" without providing any credentials, Google Chrome will alert you. Well then, but... a bit late! Why the hell Chrome does not warn at the very first access to this suspicious website?

kiblock.net_alert_Chrome_080310.JPG



But his is not my last (nor least!) surprise. Like a kindda reflex, I had a look at the source code of the webpage (try: 
view-source:http://www.kiblok.net/index.php?page=viewlist ). 

I was astonished to notice the following link: 
document.write('<scr' + 'ipt language="javascript" type="text/javascript" src="http://www.kiblok.net.powered-by.zango.com/?a772aa7bfe/ga679ab72f4&g"></scr' + 'ipt>

Wow ! powered by Zango!! Guess who was right suspecting it?

Hey guys, you couldn't be more discreet... :)
 

Partager cet article

Repost0

commentaires