Normally, the WebPulse team doesn’t bother with questions like “What countries are involved in malware attack A?” or “What malware should people in country B worry about?”
Our primary focus is on finding malware attacks and blocking them for ALL our users, since no one wants malware on their network, regardless of where it comes from, or who its primary targets are.
Still, such questions do come up from time to time, and I’d been asked about Japanese malware earlier in the week, so I’d been doing some thinking about how to collect the data to answer. Specifically, I was curious to see if any of our recent tools — especially the Background Checker — could come up with some data in this area.
So, this week as I was traveling to Black Hat, I asked a manager for some license keys that belonged to large Japanese organizations, without revealing the names of the organizations to me. (In case anyone is wondering, the Malware Research team doesn’t know who license keys belong to in the course of normal research. We like to maintain customer privacy.) This way, I could assume that most of their users would be surfing in Japanese, and see if any of them had attempted to visit malicious sites.
It turned out to be a pretty quick process to find a customer with a number of users who had indeed attempted to visit sites that the Background Checker flagged as malicious/suspicious in real-time…
In fact, users at this particular large organization showed up 64 times in the malware-attack logs last week. In other words, 64 times, their users had attempted to visit a malware site, but had been prevented by WebPulse. Most of these incidents had involved one particular malware attack, so this is the one I focused on. Just knowing that we saved some Japanese folks from an attack, however, doesn’t make for a good blog post by itself; it’s only the beginning of the story. Some additional research is required to flesh it out…
As it turns out, the would-be victims of this attack had been visiting a legitimate site, google-mania.net, which has a bunch of information about various Google services, along with tips about how to get more value out of using them:
Unfortunately, the site has been hacked, so it’s including an injected iFrame in the Web pages it serves:
Looking through the logs, it appears that there are quite a number of junk-name .co.tv sites showing up in this network, and there are several other hacked sites being used in the attack (e.g., msofficetuneup.com), in other languages, that are trying to snare victims in other countries. So this attack does not appear to be targeted specifically at Japanese users. (???????????!)
Leave a reply