Sunday, December 23, 2007

Malware attack redirected from 123greetings.com

I today received a Christmas greeting card from a close friend in China. When I clicked the e-card link in Firefox, the page could not be displayed as I have disabled JavaScript and Cookies in Firefox by default. I then copied and pasted the URL from Firefox to Safari, the only browser having JavaScript and Cookies enabled by default on my iMac.

Something happened then. A page of 123greetings.com flashed on the screen followed by a few splashes showing me an animation of scanning through the system folders of my computer. After that, the following XP style window appeared on my Leopard desktop and forced me to download two PC executable files with randomized filename. The active web page has been redirected to scanner2.malware-scan.com.


As I illustrated in the screenshot above, it was a malware attack.

As for Cookies, only 123greetings.com left several items in Safari's Cookie records, as shown below. malware-scan.com didn't leave its trace.


The downloaded executable files were identical except their filenames. I ran one file in a disconnected Windows 2000 Server box (a virtual machine), the file's process appeared in Task Manager. It seemed nothing happened (of course it's not ture). I ran the executable several times, several individual processes appeared in Task Manager, as follows.


I also noticed that this executable file created a Windows registry item at:

HKCU\Software\Microsoft\Windows\CurrentVersion\ADP = "&swp=1&apx=%s" (where %s is the filename of this downloaded file)

I enabled the network connection on the W2K virtual machine. After a while, a "professional" anti-spyware program, MalwareAlarm 2.1, appeared on the screen, and has already started scanning the system. This bloody scanner reported that I had nine threats, and asked me to buy online in order to activate its Threats Removel function. TCPView showed that this program (MalwareAlarm.exe) was downloaded from 69.50.175.18.


There was a business behind this anti-spyware spyware. It even showed me such a screen.


Now, you should have known how the kind of anti-malware program works, humm? :-)

Futhermore, I did a google search for this, and found that someone already reported the a similar spyware two days ago, on 21 December 2007.

4 comments:

Anonymous said...

Thanx for the warning and excellent clarification of this hazard. I've encountered the same (and luckily Firefox did a proper job).

loren Jett said...

I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing.
www.yonsetravel.com |

Erin cody said...

Valuable very touchable information. I would like to thank you for sharing your great facts.
www.family-estate.org |

Erin cody said...

A good informative post that you have shared and appreciate your work for sharing the information.
www.penthousewilliamsburg.com |