Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Winfixer raises it’s ugly head again, via blog comments and site redirects

February 28th 2007 in Uncategorized

***WARNING – DO NOT GO TO THE MUNGED URLS IN THIS ARTICLE***


First I see a sudden jump in emails and comments asking for help to get rid of Winfixer popups – three comments asking for help with winfixer in the space of just 12 hours:
http://msmvps.com/blogs/spywaresucks/archive/2006/12/20/433987.aspx


Then I get this email today asking for help:


“i’m being bombarded with what appears to be actually written (not spam) comments containing a url.


this is the one: hXXp://www.sessit.port5.com


they are most definitely hand written as they are definitely referring to the post they’re commenting on.


out of curiosity i opened that url up at home and Trend went beserk – so somebody, with the knowledge of spyware/naughty sites are purposedly listing it on my comments. Have you see anything like this before? eg, is it a VERY clever spam bot or some pimple-faced teenager with less brains that cardboard?”


I’ve just started trawling through my own blog spam and am finding more malware blog comments with URLs that redirect to systemdoctor.com and other domains, and try to convince victims to install winfixer.


So far I have found the following additional URLs in winfixer related malware comments (expect this list to be updated as I go through the comments):


hxxp://www.flryanair.org/uomo
hxxp://www.recpnsione.org/ferrari
hxxp://www.recpnsione.org/italia
hxxp://www.bovso.org/bambini
hxxp://www.bikini.741.com
hxxp://www.trenitalia.275mb.com


Being the curious type, and working on an extremely well protected box, I went to check out the URL in the email and other URLs I am finding in my comment spam.


I was, to be honest, shocked when the URL redirected to none other than www.systemdoctor.com – specifically:
hxxp://www.systemdoctor.com/download/2006/index.php?aid=swp_sdr_ed2&lid=5095&affid=pp_888314101&ex=1&ax=1


Not only that, an alert was also triggered for worm_nuwar.aai – I *think* that the alert was triggered by the primary URL before I was redirected to the systemdoctor site.


Yes, you guessed it, the malware known as winfixer is rearing it’s ugly head again, trying yet another way to get on to systems, this time via blog comments.


Note that more than one person has been able to confirm that the URL in the blog comment only redirects to systemdoctor once.  If you use the URL a second time you are redirected to www.true-search.net – another site that tried to install winfixer. The actual URL I was redirected to was:
hxxp://www.true-search.net/search.php?id=47206&said=&qq=sex


The site tries to redirect visitors to a winantiviruspro site, being:
hxxp://www.amaena.com/securityworm5/index.php?aid=swp_was7_au_en_ed2&lid=5095&affid=pp_6572714101&ax=1&p=was&ex=1&h=0&j=0


Again, being a curious type I downloaded the Systemdoctor scanner to see what virus check results I’d get back – yep, we got a slew of hits for winfixer when the installer was tested.


Note that I am also seeing the classic winfixer popups warning at the various malware URLs warning of various problems on visitors’ computers that when closed trigger another pop-up warning that the scan is incomplete and offering only an OK button – all the normal winfixer tricks.


This incident is a new low in the fight against winfixer malware infiltration.  Regular readers of this blog will know about the Messenger Plus! sponsor program advert infiltrations; they’ll know about the MySpace advert infiltration; they’ll know about the ActiveWin advert infiltration; they’ll know about the Windows Live Messenger banner advert infiltration.  Now those behind Winfixer are spreading their wings, and trying to get their malware on to our systems via blog comments.


I’m sure there will be more information to be revealed when I have had time to make a few calls about this, and send a few emails.


You can see the message source of the initial malware link in the blog comments here:
http://msmvps.com/files/folders/spywaresucks/entry627114.aspx


Message source from the second page here – note the winfixer entry at very bottom of the code:
http://msmvps.com/files/folders/spywaresucks/entry627156.aspx


Information about the malware worm_nuwar.aai here:
http://origin.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAAI&VSect=T


Here is a screenshot of most of the scan results for the systemdoctor download:


2 comments to...
“Winfixer raises it’s ugly head again, via blog comments and site redirects”

Corrine

Any connection to this:
http://news.com.com/Storm+Worm+variant+targets+blogs%2C+bulletin+boards/2100-7349_3-6162623.html

I checked other feeds this morning but didn’t find anything else so have no further information.

“The new Storm Worm variant attacks the machines of unsuspecting users when they open an e-mail attachment, click on a malicious e-mail link or visit a malicious site, said Dmitri Alperovitch, principal research scientist at Secure Computing.

{snip}

But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as “high.”

{snip}

The danger in this most recent case, he added, is that the user is actually posting a legitimate blog or bulletin board notice, unaware that a malicious link has been slipped into the text of the posting.”



sandi

No, I don’t think so. That Storm variant is pushing users to various postcard/greeting sites. This winfixer outbreak is completely different.

I think the outbreak you are thinking about is this one:

http://msmvps.com/blogs/harrywaldron/archive/2007/02/28/mespam-trojan-new-storm-worm-version-spreading-as-blog-comments.aspx


The PC on which the mysterious bouncing box appears is a brand new Compaq.
The bouncing box, which is translucent, is not clickable.  It seems to have no purpose other than to exasperate and confuse and encourage victims to “look here”.
A short video of the mysterious bouncing box is here:http://msmvps.com/files/folders/spywaresucks/entry619001.aspx
Here is a PDF copy of a comparison between […]

Previous Entry

The “File Download” dialog box in IE6 closes unexpectedly even after you apply hotfix 896017http://support.microsoft.com/default.aspx/kb/928540
 

Next Entry