[ Security Alert ] 21 January, 2011 10:42

   Per ISC's report "possible new twitter worm", a new twitter worm can spread shortcut URLs of "gool.pl". People who click the malicious shortcut URLs will be redirected to a fake AV scan website, and then forced to download a fake av software (pack.exe), actually it is a virus file. Fortunately, AegisLab Web Guard has blocked the following hopping sites, our customer can escape the storm of new twitter worm!

  • hxxp://gdfgdfgdgdfgdfg.in.ua/undo/red.php
  • hxxp://91.200.240.228 
 
 
 
The VIRUS detection rate in VirusTotal is 7/42 (16.3%).
And URL detection rate in VirusTotal is 0/6 (0%)
 
Since 01/17/2011, Web Guard has blocked the malicious hopping sites and URLs.
By AegisLab 

 

[ Security Alert ] 19 January, 2011 16:21

    According to ISC(Internet Storm Center)'s report-Yet Another Rogue AV, Fake AV is coming back, just like AegisLab Security Alert 2011-01-14. Fortunately, AegisLab Web Guard has blocked one of the following attack path since 01/17/2011. In this attack path, you will be redirected to a pharmacy store finally.

[root] http://baullka.com/red.php 

   [hop] http://91.200.240.228/index.php?W2=M0&JJYBm=JSmtYVyVTLi9r...

       [site] http://drugspharmacypills.com

  Canadian pharmacy

 

Furthermore, per ISC's report, another netblock 188.229.88.x is also blocked by Web Guard. 

By AegisLab 

[ Security Alert ] 17 January, 2011 11:28

    AegisLab has found that NCUISA.ncu.edu.tw(中央大學國際學生會) official website has been tampered with SEO-poisoned pages. Victim website was injected with malicious links of hopping site "www.sacon.org". Finally, visitors will be redirected to a suspicious online store. 

The attack path is listed as below. 

[search] http://www.google.com

[root] http://ncuisa.ncu.edu.tw/images/tDZs88dQ.php?5Y3N=SlySoft_AnyDVD...
    [hop] hxxp://www.sacon.org/download-oem-SlySoft_AnyDVD_HD_6.6.8.0...
        [site] hxxp://www.urlscan.net/index.php?target=desc1&progid=SlySoft_AnyDVD...

 

DO NOT LEAVE ANY SENSITIVE PERSONAL INFORMATION ON SUSPICIOUS SITE! 

By AegisLab 

[ Security Alert ] 14 January, 2011 10:02

   AegisLab has found that Funs.com.tw (房市家大社區論壇) official website has been tampered with Fake AV and SEO-poisoned pages. If you get into the webpage directly, you will see the following fake AV warning message.

 

fake AV warning messages

 

Once click the OK button, it will start a fake AV scan. Then no matter what you choose, you will be forced to download a fake software update, actually it's a malware! DO NOT EXECUTE IT! 

 fake av scan result

 

Besides, another BlackHat SEO attack path is listed as below.

[search] http://www.google.com (search 'How To Convert And Add Dvds And Avi Wmv Flv Videos To Iphone 3G')

[root] hxxp://www.funs.com.tw/uchome/space.php?uid=29036&do=blog&id=1112310
    [hop] Location: hxxp://buyordie.osa.pl/
        [fake search engine] hxxp://finditnow.osa.pl/atp/?said=3333&q=facebook

 

Victim website was injected with malicious link of hopping site "buyordie.osa.pl", it will redirect visitors who are from google search engine to a fake search engine. The fake search contents contain malware or porn site links.

The detection rate of this hopping site is 22% (4/18) in URLVoid.com. 

 

Since 01/08/2011,  AegisLab WebGuard signature has blocked this hopping site.

By AegisLab