Wednesday, June 11, 2008

ImageShack Typosquatted to Serve Malware

This is ironic because you have one of the most popular image sharing sites typosquatted, and malware served by copying ImageShack's directory structure, next to using spoofed image files which are the actual executables - "Fake ImageShack site serving malware, links distributed over IM"

"The real ImageShack site is imageshack.us, however, the malware authors are impersonating ImageShack and using imageshaack.org (64.74.125.21), in particular imageshaack.org/img/Picture275.jpg, which is where the malware is. Once the user gets infected with the malware, Backdoor.Win32.SdBot.eiu in this case, the host joins an IRC channel where the botnet masters continue issuing commands for the campaign to spread"

Scanners Results : 14/32 (43.75%)
Backdoor.Win32.SdBot.eiu; a variant of Win32/Injector.AV
File size: 31040 bytes
MD5...: eef33ca4036a5bf709f62098c55fb751
SHA1..: 5e7bdde09c760031c0a29cc0bb2ee2503aff3bf3

The malware then connects to simplythebest.mydyn.net:6532 (81.169.171.145) joining channel #99993333 with password plasma1991, acting as the C&C for this campaign spreading over MSN.

No comments:

Post a Comment