Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

In caches, danger lurks

Published: 2009-12-17
Last Updated: 2009-12-17 20:07:27 UTC
by Daniel Wesemann (Version: 1)
2 comment(s)

When ISC reader Greg searched for a particular piece of information, and found the site hosting the information currently down, he reverted to Google Cache to retrieve the info from there.

But .. the site was apparently down for a reason: They were cleaning up a malware infection, and the infected pages were of course already duly mirrored in the ever effective Google cache, complete with all the hidden iframes leading to yet another unsolicited "Anti Virus" tool.

A cache, being a mirror image of the real world, can be expected to reflect that world in all its badness. Nevertheless, users would probably assume that the content comes from the search engine provider, and pay (even) less attention than normal to what happens next.

The badware is currently delivered through the domain todolust-dot-com. The EXE changes about twice per hour, and has very low AV coverage (Virustotal).  Microsoft and Sunbelt are currently the only two AV tools on Virustotal that do not seem to be perturbed by the rapid morphing of the EXE, and keep catching it reliably.


Keywords: malware
2 comment(s)
Diary Archives