If you tell enough stories, perhaps the moral will show up.

2006-07-23

The Scent of 1995

Since Websense is so mechanical about what consitutes Adult Content, I have to check out the sites that have triggered the blocker before phoning HR. So, anyway, I was on the quarantine box just now browsing a porn site off my list, and a dialogue came up inviting me to download and execute "www.google.com"!

Isn't that sweet? Ten years ago ".com" would have set anyone's alarms jangling. Now, that choice of name exudes high quality, safe, brand value. (Only windowsupdate.microsoft.com could be better.....) I nearly pressed the button myself!

I wonder what it would have installed? The download was hosted on http://xearl.com and it seems to have linked from the homepage of Matureskin.net. If you're interested, matureskin.net is not a technical site, nor is it concerned with skincare.

2 comments:

TNT said...

What it would have installed. A trojan downloader, which in turn would have downloaded a dropper and installed a rootkit. By the way, I "discovered" these trojans about 5 weeks ago, they were run (or attempted to) by several exploits on many web pages. And undetected by *ALL* the AV engines.

Three variants started getting detected when I manually submitted them to the AVs. Some had a fast inclusion response (Kaspersky, Ewido, BOClean) some decent (ClamAV), some godawful (F-Prot).

These trojans are loaded through a (very well done, I must say) javascript obfuscation which routinely loaded a "randomized" location on another remote site. The initial site was gromozon.com, now it's xearl.com. The javascript is on gbeb.cc.

These are all part of the notorious CWS crime ring.

TNT said...

Oh, and by the way, new variants are out, and ONCE AGAIN, they are currently undetected by *ALL* the antivirus engines (at least the ones on virustotal.com).