Camouflaging malware URLs

February 14, 2008 on 8:28 pm | In Malware analysis | 3 Comments

Recently we have seen a trend of spam mails that are using camouflaged links to get you to a malware ditributing site.

Two examples that worked when tested on february 8 2008:
Follow the leader

If you look closely you will notice that they will both redirect you to my subdomain at geekstogo but at first sight most users might expect to see search results, rather then being sent somewhere.

Of course the malware distributors are not as nice as I am. 🙂
I just sent you to the site, but with the same effort there will be a (php or other) script waiting for you that dumps a trojan on your computer.

I stole those two tricks out of mails sent by the same distributor and I would have ended up installing the rogue VirusHeat if I wouldn’t have gone in expecting the worst and protected accordingly.
Both mails promised me a video with Britney and not one recorded while she was making music. 😉

Yahoo seems to have fixed the problem with their redirect service in the meantime.


RSS feed for comments on this post. TrackBack URI

  1. Today I found 2 relatively new trojans and one already wellknown Banker-trojan, just by backtracking one of these mails. In fact I found links to 7 sites that were spreading malware, but 4 of them had already been taken down. 🙂

    Comment by Pieter Arntz — February 16, 2008 #

  2. Got my first one today that linked directly to a file.
    In a mail this link was hidden:

    Comment by Pieter Arntz — February 29, 2008 #

  3. An article that may lead to new combinations with this method fo creating url’s
    Please read:

    Comment by Metallica — April 25, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^