Here's some malware that might be interesting (Day 360 is coming) [Viruses]

Prev: Kaspersky Internet Security 2010 (3-user) - bloatware?
Next: Top 25 Web Design Faux Pas

From: Virus Guy on 23 Dec 2009 22:24

So I'm watching TV and there's this hokey commercial that I've seen a
few times now of a cartoon guy that plugs himself in. No audio that I
can remember, and some text that gets displayed at the end:

Day 360 is coming

I plug that into google and get this:

-----------------
DAY 360 IS COMING
DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
hours a day. ... Call 360- 569-2411 for information on ski rentals and
lessons or ...
www.svleonberg.de/?sid=day-360-is-coming - Cached
-----------------

That's the first hit. No other hits look even remotely close (lots of
references to Xbox 360).

So the hit is hot-linked to this:

hxxp://www.svleonberg.de/?sid=day-360-is-coming

Which takes me on a ride to a fake AV scan, which finally offers
install.exe from here:

hxxp://supercheckfree.com/downloader.php?affid=94800

VT gets a hit rate of 12/40 on that one, calling it Koobface, Eldorado,
Winwebsec, Kryptik (specifically) and FakeAlert, Fraudtool, and
RogueSecurity (generally). No hits from Kaspersky.

Can anyone explain how or what generated the stuff that google picked up
that resulted in the rogue link being the first hit for this search?
How exactly do these rogue links get so highly placed by google? Was
this a coincidence, or was this TV commercial somehow linked to a
mechanism to spread this malware via search queries?

And I still don't know what the hell that TV commercial is all about...

From: Duh_Oz on 23 Dec 2009 23:26

On Dec 23, 9:24 pm, Virus Guy <Vi...(a)Guy.com> wrote:
> So I'm watching TV and there's this hokey commercial that I've seen a
> few times now of a cartoon guy that plugs himself in. No audio that I
> can remember, and some text that gets displayed at the end:
>
> Day 360 is coming
>
> I plug that into google and get this:
>
> -----------------
> DAY 360 IS COMING
> DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
> hours a day. ... Call 360- 569-2411 for information on ski rentals and
> lessons or ...www.svleonberg.de/?sid=day-360-is-coming- Cached
> -----------------
>
> That's the first hit. No other hits look even remotely close (lots of
> references to Xbox 360).
>
> So the hit is hot-linked to this:
>
> hxxp://www.svleonberg.de/?sid=day-360-is-coming
>
> Which takes me on a ride to a fake AV scan, which finally offers
> install.exe from here:
>
> hxxp://supercheckfree.com/downloader.php?affid=94800
>
========
Using FF, I got a "Reported Attack Site!"

This web site at supercheckfree.com has been reported as an attack
site and has been blocked based on your security preferences.
========

With IE, the fake scan started up :-)

From: FromTheRafters on 24 Dec 2009 09:16

"Virus Guy" <Virus(a)Guy.com> wrote in message
news:4B32DEE3.3A128B84(a)Guy.com...

[...]

Just as a FYI, the following appears as a clickable link in OE

www.svleonberg.de/?sid=day+360-is-coming - Cached

I know you care because of your obfuscation in the form of hxxp in the
other references to that URL.

> Can anyone explain how or what generated the stuff that google picked
> up
> that resulted in the rogue link being the first hit for this search?

Part of Google's algorithm rates URL's according to how many places link
to that URL. This is why spamming of URL's is useful for spammers - it
earns them a higher place on search engines that prioritize results by
(apparent) popularity.

> How exactly do these rogue links get so highly placed by google? Was
> this a coincidence, or was this TV commercial somehow linked to a
> mechanism to spread this malware via search queries?

It could be both as above, and the popularity by other media as you
suggest. In this case it *might* just be coincidence, but I'm sure
malware uses interference with other recent popular search queries.

> And I still don't know what the hell that TV commercial is all
> about...

I haven't seen it, but you got me curious now too.

From: Virus Guy on 24 Dec 2009 10:06

FromTheRafters wrote:

> "Virus Guy" <Virus(a)Guy.com> wrote in message
>
> Just as a FYI, the following appears as a clickable link in OE
>
> www. svleonberg.de/?sid=day+360-is-coming - Cached

Well, that's good to know - too bad that OE works that way.

I've come across other links that takes you to the same malware:

----------------------------------
� Einzeller: Der T�rke on Air.. Ich h�tte es fast vergessen ...
.... jeremy steinke � black snuggie � day 360 is coming � i wish it was
christmas today � galewher.com facebook � brett dennen � world chocolate
championship ...
www. blogoperium.de/.../oh-wie-geil-telefonterror-mitm-tuerke/ - Cached
- Similar
----------------------------------

hxxp://www.blogoperium.de/internet/oh-wie-geil-telefonterror-mitm-tuerke/

--------------------------------
DJ Hero Bundle ab 39,90� inkl. Versand bei Amazon | abstauben24.de ... -
[ Translate this page ]... jeremy steinke � black snuggie � day 360 is
coming � i wish it was christmas today � galewher.com facebook � brett
dennen � world chocolate championship ...
www. abstauben24.de/.../dj-hero-bundle-ab-65-euro-inklusive-versand/ -
Cached
--------------------------------

hxxp://www.abstauben24.de/amazon/dj-hero-bundle-ab-65-euro-inklusive-versand/

The domains/sites seem to belong to the same server farm:

www. svleonberg.de : 82.100.220.51
www. blogoperium.de : 82.100.220.58
www. abstauben24.de : 82.100.220.58

If you want to see all the domains hosted on those various IP addresses,
look here:

http://www.robtex.com/ip/82.100.220.51.html#shared
http://www.robtex.com/ip/82.100.220.58.html#shared

I'm not sure if all those domains were set up recently to host this
malware, or if this is a hijacked server farm.

From: Virus Guy on 24 Dec 2009 10:07

| Next | Last
Pages: 1 2
Prev: Kaspersky Internet Security 2010 (3-user) - bloatware?
Next: Top 25 Web Design Faux Pas