Tuesday, December 22, 2009

Russ = Rogueware: Is nothing sacred?

You know you've hit the big time when...;-)
Alright, maybe not, but you still may have to step aside for my ego.
Wait, you already have to do that.
Fine. Never mind.
But this is kinda funny.

Full disclosure:
I use Google Alerts for my name (Russ McRee) and my domain (holisticinfosec).
I'll be quite honest and tell you that it's a combination of ego and paranoia.
I want to know when people say nice things (rare), when they talk smack (more likely), or when they're illegally reusing content (a constant).

Ok, so now you know I auto-Google myself (you should too), but here's where it gets new and exciting.



See the first entry above, i.e. "Russ"?
No good news there.
Looks like keyword abuse or a compromised site pointing to rogueware/scareware:
hxxp://www.tuckmall.com.tw/blog.php?blog=russ+mcree



Use caution as always if you choose to go there, fellow bug analysts.
MMPC calls the binary Trojan:Win32/Winwebsec.
The VirusTotal results include 10 detections out of 41 possible.

The rogueware site code is classic.



Multiple IFRAME offering dependent on user agent detection for the primary browser types.
If you're on a Mac you'll be redirected to some crap movie site; otherwise, you must be infected! Click here! Off to virusexamine.com or webexpertcheck.com with you...

Nice to know my name has become worthwhile enough to poison search results for...in Taiwan...on the 11,292,838 ranked site in the world...mixed in with pr0n and Justin Timberlake.
Oh yeah, the big time indeed.

Cheers, and Happy Holidays.
Russ

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

1 comment:

Anonymous said...

Actually, the rogue link on a Mac has been updated. If you went to that "Russ" link on a Mac, it's no longer a crap movie site that shows, it's a "Finder Online Scan" that leads Mac users to rogueware.
I found a screenshot of this at http://www.nickfitz.co.uk/images/mac-defender-scan-site.png