The day of a security researcher usually starts looking for a lead worth investigating. This one is kind of lame – really – but one has to satisfy their curiosity.
A malicious URL is spreading on Vkontakte (and other social sites), luring people into downloading a so-called picture:
vaginatube.info/107508?_3xf6i4s4_13301.jpg
Infected users are posting the URL onto their friends walls. The example below show’s a doctor’s page (I believe this is a total coincidence, although it is well fitted) and his wall, with the offending URL:
The URL seems to change slightly from time to time but inevitably leads to the same place:
This is a redirection that works like this:
vaginatube.info/107508?_3xf6i4s4_13301.jpg
77.222.132.82/narod.php?21d8d2=dff93c493c00f
10go10.ru/go.php?sid=15
xn--80aaqrraooq.xn--p1ai
The final link is an executable: xn--80aaqrraooq.xn--p1ai/x78aa901_d9ff_640x480.exe
VirusTotal detection (8/43).
When running this file, you will see a picture of a group of teens having a celebration meal:
But that’s not all, of course. The Windows Hosts file is modified in order to redirect traffic going to vkontakte to a third-party instead (38.99.170.81). This enables criminals to harvest credentials and spread the links from account to account.
Vkontakte is displaying a security warning when accessing external links:
It’s a reminder that even saucy looking URLs can be dangerous to click on, especially when considering that the human factor always wins…
Jerome Segura
Leave a reply
