Saturday, June 23, 2007

Dangerous searches - June 23, 2007

Hi folks,

The overall state of play is that there are still two significant attack waves happening. The ecard guys out of the .hk domains have cleaned up their English and prettied up their email a bit. It's now downloading 2mb of something. We're not sure what it is at this point, but it's probably not friendly, and there are still lots of compromised Italian sites launching MPack/ WebAttacker2.

Here are some of the more interesting (and unexpected) dangerous search terms from the last couple of days...

"Firefox" ... ! Fortunately, that's only dangerous if you're using Internet Explorer to search for it.

"watch movies for free" ... wrong selection gets you a WebAttacker2/ Mpack.

"wallpaper" ... webattacker2/mpack

"blue book" ... is still dangerous. That's been about a week now, which is unusual. Most of these get cleaned up quite quickly.

"stem cell research"... that's a bit mean

"bulgarian mp3 music download" ... that's too easy (JUST KIDDING!)

and "radio blogs" ... wrong choice gets an MDAC.




At 10:29 PM, Anonymous Peter G. said...

Hello Roger,

I have found a href that is not detected as a malicious iframe by LinkScanner. This href points to a malicious page. The URL of this href page is hxxp://



At 7:41 PM, Blogger Roger Thompson said...

Hi Peter,

Thanks for the tip. When we checked it out, it's already 404, so we have no way of seeing what was there.


However, these things are typically re-used ... _often_, and we've added several other sigs today already, so there's a good possibilty we've covered it, and if not, I expect our normal intelligence activities will soon find it.

If you find another, please let us know.

Thanks again,


At 1:17 PM, Anonymous peter g. said...

Hi Roger,

It works again.



Ps.: Do you have other methods receiveing suspicious URLs?

At 10:48 AM, Blogger Roger Thompson said...

Hi Peter,

It is indeed working again, and we detect it as a WebAttacker2/ MPack.

This package typically tracks the IP address of the visitor and won't serve the exploit twice, on the basis that anyone coming again is either already nailed, or is probably a researcher looking for them. If you can get yourself a fresh ip address, I expect you'll see us detect it just fine.

Thanks again for the lead. If you want to submit any more URLs, please feel free to post them directly to .




Post a Comment

<< Home