The Latest in IT Security

Vkontakte plagued by the same security issues as its cousin, Facebook

27
May
2011

The day of a security researcher usually starts looking for a lead worth investigating. This one is kind of lame – really – but one has to satisfy their curiosity.

A malicious URL is spreading on Vkontakte (and other social sites), luring people into downloading a so-called picture:

vaginatube.info/107508?_3xf6i4s4_13301.jpg

Infected users are posting the URL onto their friends walls. The example below show’s a doctor’s page (I believe this is a total coincidence, although it is well fitted) and his wall, with the offending URL:

The URL seems to change slightly from time to time but inevitably leads to the same place:

This is a redirection that works like this:

vaginatube.info/107508?_3xf6i4s4_13301.jpg
77.222.132.82/narod.php?21d8d2=dff93c493c00f
10go10.ru/go.php?sid=15
xn--80aaqrraooq.xn--p1ai

The final link is an executable: xn--80aaqrraooq.xn--p1ai/x78aa901_d9ff_640x480.exe

VirusTotal detection (8/43).

When running this file, you will see a picture of a group of teens having a celebration meal:

But that’s not all, of course. The Windows Hosts file is modified in order to redirect traffic going to vkontakte to a third-party instead (38.99.170.81). This enables criminals to harvest credentials and spread the links from account to account.

Vkontakte is displaying a security warning when accessing external links:

It’s a reminder that even saucy looking URLs can be dangerous to click on, especially when considering that the human factor always wins…

Jerome Segura

Leave a reply


Categories

MONDAY, NOVEMBER 20, 2017

Featured

Archives

Latest Comments

Social Networks