In September, our friends at Sophos wrote about a fake BBC website offering up the “chance” to work from home for predictably large sums of money. No more than a day later, we were covering fake BBC video posts targeting Facebook users.
Today we’re looking at a fake BBC URL which drops the end-user onto a “work from home and earn $10,000+ a month” fake news site, but not before it’s attempted to load up the PC with malware via a rather nasty collection of exploits. The URL in question is bbcmoneynews(dot)com:
Click to Enlarge
How does this website hate thee? Let me count the ways.
The site contains:
1 ) An encrypted Blackhole exploit kit, which we detect as Exploit.JS.Blacole.cd
2) A malicious Java applet, which we detect as Trojan.Java.Generic
The Blackhole exploit kit exploits known vulnerabilities to download and execute malicious files, checking for installed applications that may be vulnerable to exploits targeting them (in this case, Flash and Adobe Acrobat).
This sample exploits the following vulnerabilities:
1) CVE-2006-0003 – IE6 COM CreateObject Code Execution is used to download and execute the following:
i. a Zbot trojan, which we detect as Trojan.Win32.Zbot.bxh
ii. Sirefef, which we detect as Trojan.Win32.Generic.pak!cobra
iii. The Fareit Trojan, which we detect as Trojan.Win32.Zbot.bxh
2) It deploys an SWF file which exploits the following vulnerability:
CVE-2011-0611 – Adobe Flash Player Memory Corruption, which we detect as Trojan.SWF.Generic
3) Depending on the version of Adobe Acrobat installed in the system, it deploys the following PDF files:
i. For version 7 and below, 91973.pdf – CVE-2008-2992 – Adobe Reader util.printf – currently detected as Exploit.PDF-JS.Gen (v)
ii. For version 8 and 9, bc2e7.pdf – CVE-2009-0927 – Adobe Reader Collab GetIcon which we detect as Trojan.PDF.Generic
Ouch. And after all of that, you still have the redirect to the spam site to deal with.
Click to Enlarge
There are a number of different work from home URLs you can expect to be sent to and they all have comments closed (right after everybody said the work from home pack worked, which is of course handy for the site owner) while claiming that the “offer ends tomorrow”. This is a rather nasty pack of malware, and it’s quite possible we may see more of these work from home sites dabbling in exploits – not a comforting thought when you can open up any random forum / website and have a halfway decent chance of seeing a “work from home, earn big money” advert.
Stay patched, stay safe and if you really want to work from home then your accountant is a safer bet than the websites listed above.
Christopher Boyd (Thanks to James, Adam and Mark)
Leave a reply
