Web blog d'un ingénieur en sécurité informatique. IT Security watcher's blog: news, threats analysis, AV issues, PoC, IT security, bugs... Contact: philippe.vialle@wanadoo.fr
I was just looking for Google images of an american actor of a serie. Then my browser was trapped, as one of the Google Image results lead it to:
http://www.google.fr/imgres?imgurl=http://www.celebritylatest.com/wp-content/uploads/premieres/marg_helgenberger_mr_brooks_premiere_3.jpg&imgrefurl=http://www.mainstream.fr/img/-%%%%%-dating.html&usg=__grAZHQrnfxcFdhmvNprdLlOKD70=&h=808&w=1000&sz=70&hl=fr&start=17&sig2=jTOL3-NJ0X06PCeKxHJQ0Q&zoom=1&tbnid=SBAcGCvMS_01OM:&tbnh=120&tbnw=149&ei=KJXZTYXXMoub-gbgwuHGAQ&prev=/search%3Fq%3D
and celebritylatest.com has most likely been hacked. Therefore, my browser went to: http://bervert. osa.pl/2.php
I came to that link:
There is first a nice warning, telling me my computer was at risk of being infected by a malware...
Then, whatever I do, my browser will be send to this webpage:
There is also another URL that does the same:
Now, obviously, if I click on the "remove all" button (which I do NOT recommend you to do), an exefile shows up as a download... how interesting!
Here is the real URL of the website hosting the file:
http://www2.save-mastermme .byinter.net/qjsh106_328.php?kan9=j87XprDK182Q0ofo3cmvoJ%2BdkdHXnbCUnMaPz9OwxLi5k9nYqJKeb5nQ6aKk45iZ1s7Wqs%2FErsngqODGnNCc2szlscfs4tLd0tGUnNaevLdT1tGwrJegn6CcmZKlbKGSroug4cLn6divk%2BTOz56mcKaH6tmZqpWkpJqmnp%2BW0JenX%2BfUs5ZgnZekpJmkoKSLz9DbmtzPs9yk5JSh58bo0s%2FN18XTn9jP6cpb2ZProsrnk%2BXWz8bPdubU386Q1dKZ5srYqtXZ39GTbLSGqKtSn6fV2dfo0t%2FZmdDhmqHR4opfs5Oh5M3ik%2BDazaTbnbDU29ORs8rf2Yk%3D
What does VT says for this sample, well... only 10 out of 43 engines do detect it :( and Kaspersky Security Network did not help.
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.05.23.00 | 2011.05.22 | - |
| AntiVir | 7.11.8.93 | 2011.05.22 | TR/Dropper.Gen2 |
| Antiy-AVL | 2.0.3.7 | 2011.05.22 | - |
| Avast | 4.8.1351.0 | 2011.05.22 | Win32:Delf-PIK |
| Avast5 | 5.0.677.0 | 2011.05.22 | Win32:Delf-PIK |
| AVG | 10.0.0.1190 | 2011.05.22 | - |
| BitDefender | 7.2 | 2011.05.22 | - |
| CAT-QuickHeal | 11.00 | 2011.05.22 | - |
| ClamAV | 0.97.0.0 | 2011.05.22 | - |
| Commtouch | 5.3.2.6 | 2011.05.22 | - |
| Comodo | 8797 | 2011.05.22 | - |
| DrWeb | 5.0.2.03300 | 2011.05.23 | - |
| Emsisoft | 5.1.0.5 | 2011.05.22 | Trojan-Dropper.Gen2!IK |
| eSafe | 7.0.17.0 | 2011.05.22 | - |
| eTrust-Vet | 36.1.8339 | 2011.05.20 | - |
| F-Prot | 4.6.2.117 | 2011.05.22 | - |
| F-Secure | 9.0.16440.0 | 2011.05.22 | Rogue:W32/FakeAv.BI |
| Fortinet | 4.2.257.0 | 2011.05.22 | W32/Injector.fam!tr |
| GData | 22 | 2011.05.23 | Win32:Delf-PIK |
| Ikarus | T3.1.1.104.0 | 2011.05.22 | Trojan-Dropper.Gen2 |
| Jiangmin | 13.0.900 | 2011.05.22 | - |
| K7AntiVirus | 9.103.4693 | 2011.05.20 | - |
| Kaspersky | 9.0.0.837 | 2011.05.22 | - |
| McAfee | 5.400.0.1158 | 2011.05.23 | - |
| McAfee-GW-Edition | 2010.1D | 2011.05.22 | - |
| Microsoft | 1.6903 | 2011.05.22 | - |
| NOD32 | 6142 | 2011.05.22 | Win32/TrojanDownloader.FakeAlert.BHH |
| Norman | 6.07.07 | 2011.05.22 | - |
| nProtect | 2011-05-22.01 | 2011.05.22 | - |
| Panda | 10.0.3.5 | 2011.05.22 | Suspicious file |
| PCTools | 7.0.3.5 | 2011.05.19 | - |
| Prevx | 3.0 | 2011.05.23 | - |
| Rising | 23.58.06.03 | 2011.05.22 | - |
| Sophos | 4.65.0 | 2011.05.22 | - |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.05.23 | - |
| Symantec | 20111.1.0.186 | 2011.05.23 | - |
| TheHacker | 6.7.0.1.202 | 2011.05.20 | - |
| TrendMicro | 9.200.0.1012 | 2011.05.22 | - |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.05.23 | - |
| VBA32 | 3.12.16.0 | 2011.05.20 | - |
| VIPRE | 9359 | 2011.05.22 | - |
| ViRobot | 2011.5.21.4472 | 2011.05.22 | - |
| VirusBuster | 13.6.367.0 | 2011.05.22 | - |
| MD5: 6075aad44942356f46c5f33be00f7726 |
| SHA1: 905329745352f85fd20901491ea9aacdacc790d0 |
| SHA256: e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0 |
| File size: 302080 bytes |
| Scan date: 2011-05-22 22:40:47 (UTC) |
More to come (my cat reminds me time's up :) )
Update 1 (24 hours later):
Chromium does alert while trying to access the URL:
Update 2 (48 hours later):
Only 2 URL scanners do detect the URL, according to VT:
http://www.virustotal.com/url-scan/report.html?id=8a27b11a8ec194015b0bd305ca94b5b9-1306353987
| URL Analysis tool | Result |
|---|---|
| Avira | Clean site |
| BitDefender | Malware site |
| Dr.Web | Error |
| Firefox | Clean site |
| G-Data | Malware site |
| Google Safebrowsing | Clean site |
| Malc0de Database | Clean site |
| MalwareDomainList | Clean site |
| Opera | Clean site |
| ParetoLogic | Error |
| Phishtank | Clean site |
| TrendMicro | Clean site |
| Websense ThreatSeeker | Clean site |
| Wepawet | Unrated site |
| Normalized URL: http://www1.smartyauscanner.co. cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSps |
| URL MD5: 8a27b11a8ec194015b0bd305ca94b5b9 |
And while browsing my disk drive, Kaspersky antivirus did pop up a warning regardng the file that had been downloaded after the "fake antivirus scan":

KAV did not alert by itself, I had to access the folder where the file formerly undetected is.
This proves again it is strongly recommended to let the antivirus software do a full system scan, on a regular basis (at least, very week, or more often if you have any doubt).