I stumbled upon another website intended on convincing the user that they’re infected to install a fake anti-malware program. This time searching the terms ‘farrah fawcett dead’ revealed the website responsible even though we know Farrah Fawcett is not dead. This is a fairly typical redirection technique that requires the user to be referred from a Google search for the redirection to complete. Continue below to see screenshots and additional information on the sites in question.
When you click on the second link shown in the picture above, you will go through the following redirections…
hxxp://test.proudmoores-löwengarde.de/2/pim861.html
-> hxxp://iklopo_automatobb.holdplays.com/index.html?Ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3
Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla%253Aen-US%253Aofficial%26hs%3DSPJ%26as_q%3D%2Bdead%26a
s_epq%3DFarrah%2BFawcett%2B%26as_oq%3D%26as_eq%3D%26num%3D10%26lr%3D%26as_filetype%3D%26ft%3Di
%26as_sitesearch%3D%26as_qdr%3Dw%26as_rights%3D%26as_occt%3Dany%26cr%3D%26as_nlo%3D%26as_nhi%3D
%26safe%3Dimages
-> hxxp://liveavantbrowser2.cn/go.php?id=2009-1541&key=cd19f5036&p=1
-> hxxp://computerscanv1.com/1/?id=2009-1541&smersh=262861b37&back=%3DjQwxDjwMgQMMI%3DM
-> hxxp://computerscanv1.com/download/Install_2009-1.exe
The rogue that is installed on the first go around is Personal Antivirus as shown below. Upon visiting the website multiple times, you will be redirected to other domains distributing different rogue programs.
Whois Record for hxxp://liveavantbrowser2.cn
Whois Record for hxxp://computerscanv1.com
Install_2009-1.exe
Result: 1/40 (2.5%)
MD5: fa620ca09480ce88f5ba2ce8e1bd7293
VirusTotal
Anubis Analysis
hxxp://computerscanv1.com/download/
UPDATED 5:00PM 5/11/09
Looking more in to the situation, you can see from the screenshot below the amount of pages. There are almost 3,000 pages of keywords intended to get the user to the malware site. There are thousands of combinations that could be grabbed from these sites.
hxxp://test.proudmoores-löwengarde.de = hxxp://xn--proudmoores-lwengarde-tec.de
1 Response to ““Farrah Fawcett dead” search leads to malware installation”
Leave a Reply
You must login to post a comment.