June 11th, 2008
Fake ImageShack site serving malware, links distributed over IM
In a combination of domain typosquatting next to spoofed image files, malware authors managed to successfully
impersonate ImageShack, the 5th largest image hosting website on the Internet, the result of which is a malware campaign circulating over MSN, enticing users into infecting themselves by clicking on the spammed links to fake image files. This currently active IM malware campaign is yet another indication that the “don’t click on executable files” security tip is on the verge of irrelevance. Social engineering, however, isn’t, since impersonating ImageShack to serve fake images which are in fact trojans turning the infected hosts into zombies is a well coordinated social engineering campaign combining several difference tactics.
The real ImageShack site is imageshack.us, however, the malware authors are impersonating ImageShack and using imageshaack .org, in particular imageshaack.org /img/Picture275.jpg, which is where the malware is. Once the user gets infected with the malware, Backdoor.Win32.SdBot.eiu in this case, the host joins an IRC channel where the botnet masters continue issuing commands for the campaign to spread, like the following :
!msn.msg lool!! :D http ://imageshaack.org /img/Picture275.jpg |!trition.msg lool!! :D http ://imageshaack.org/img /Picture275.jpg topic set by Everglades on Wed Jun 11 15:41:57
“!msn.msg Haha is that you;)? http ://imageshaack.org /img/Picture275.jpg?|!trition.msg http: //imageshaack.org/img /Picture275.jpg
Until the site gets shut down, consider being extra vigilant on IM messages received, and while this is a bit more creative social engineering attack then the majority of average ones I’ve seen this month, non-executable files are apparently just as dangerous as executable ones.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
