Well I’m not actually one to squirm or shiver when it comes to ghosts and ghouls and ‘the undead’ that they say rise from the underground and comes out during the night of the 31st of October. It’s quite another thing that I’m pretty anxious about… and it’s really much more ghastly and hellish (in my point of view that is).
What I’m talking about are malwares – and those malware authors who use special events, such as the coming Halloween, as a social engineering ploy to fool unsuspecting users to say, click on a website that’s part of a search query they just made via Google, allowing a bunch of exploits, malwares and spywares to infiltrate the users’ systems – just like a whole gamut of evil spirits that will reside and continually haunt your environment… And this is just what will happen exactly if we didn’t discover the website described below and promptly released solutions for this ghoulish scheme as early as possible.
The site in question is one of the top query results when you search for “Halloween Sites”in Google. Shown below is the top banner that users will see upon entering the site.
And when users click on this link, they’ll find themselves being redirected to URLs using IFRAMEs found at the bottom of the site. These URLs, using malicious scripts, will infect systems with a devilish trojan downloader that uses the filename of win32.exe. The malicious scripts exploit known vulnerabilities which include but are not limited to:
- COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2127
- Microsoft Windows MDAC Vulnerability – CVE-2006-0003
- Cursor and Icon Format Handling Vulnerability – CAN-2004-1049
- Graphics Rendering Engine Vulnerability – CVE-2005-4560 (aka the WMF vulnerability)
Shown below are snapshots of one of the sites in question where the scripts are escaped and then finally decoded to reveal some of the exploits being used.
The win32.exe file, which can be classified as a variant of TROJ_GALAPOPER, downloads more ghoul codes in the form of JPEG files, which are variants of TROJ_TIBS. These files are actually also downloader executables, embedded inside a .jpg file format. All of these files will install themselves in the system, leaving the computer being compromised by a remote hacker somewhere in Russia. And what’s more, AV detection rate is quite low for the trojans described above. It’s a good thing though, that Trend Micro detects these malwares and also blocks the malicious URLs in its product implementations.
Sneaky?… Yes it is… But the term I prefer to use is Ssscary… Booooooo…
After all, it’s a Halloween Site, right? And if you are afraid of (not of ghosts or ghouls) but of exploits, malwares and spywares that will hound your system, better be careful when browsing unknown sites, this Halloween and everytime for that matter!
NOTE: The site is alive and hosting malcode up to the time of this writing and has been reported to the proper authorities for take down.