The day of a security researcher usually starts looking for a lead worth investigating. This one is kind of lame – really – but one has to satisfy their curiosity.
A malicious URL is spreading on Vkontakte (and other social sites), luring people into downloading a so-called picture:
Infected users are posting the URL onto their friends walls. The example below show’s a doctor’s page (I believe this is a total coincidence, although it is well fitted) and his wall, with the offending URL:
The URL seems to change slightly from time to time but inevitably leads to the same place:
This is a redirection that works like this:
The final link is an executable: xn--80aaqrraooq.xn--p1ai/x78aa901_d9ff_640x480.exe
VirusTotal detection (8/43).
When running this file, you will see a picture of a group of teens having a celebration meal:
But that’s not all, of course. The Windows Hosts file is modified in order to redirect traffic going to vkontakte to a third-party instead (188.8.131.52). This enables criminals to harvest credentials and spread the links from account to account.
Vkontakte is displaying a security warning when accessing external links:
It’s a reminder that even saucy looking URLs can be dangerous to click on, especially when considering that the human factor always wins…
Leave a reply