Saturday, April 11, 2009

Fake page used as a vector for spreading malware

The strategies of deception through social engineering are the order of the day on the Internet and the beginning of potential security risks, being, cloning, or the submission of false websites, one of the means to break the most exploited security the human factor.

Some are more complex than others and some more appealing or better prepared than others, but even that is trivial cheating, its effectiveness will be directly related to the level of education, security, who have access the trap of crime.

Ultimately, the following screenshot is an example with which I found recently. This is a fake site that downloads a binary file called surprise.exe (MD5: 9bd6a9cba442a88839a185eb47c2008c) which is a variant of the malicious code Virtumonde, so-called Vundo or Monde.

To display a matching component, the next is a screenshot of the actual page from sendspace.

One strategy employed by these techniques is to use domain names similar to the real, ie the page false is http://sendspace-us. com is real while the This is, in this case, the principle of a potential infection.

Another more interesting data is that the domain represents the false site is the IP address, whose autonomous system AS33777 is of EgyptNetwork.

In turn, this IP address represents multiple domains more.

As we can see, even one of the domains on the list is kassperskylabs. cn, very similar to the known anti-virus security company.

Related Information
Phishing Kit In-the-Wild for cloning of web site, version 2 - Spanish version
Phishing Kit In-the-Wild for cloning of web site - Spanish version

# Jorge Mieres

No comments: