The Latest in IT Security

Fake webcam plugin goes rampant

26
Jun
2011

I uncovered a very large number of sites that are pushing malware using a smart disguise.

Webcams sometime ask the user to install a program in order to view them. This is exactly what the creators of those malicious pages are banking on. Except that users will install a Trojan on their computers instead.

Some of the pages I found infect you directly with an exploit while others prompt you to run a Java applet:

The back-end code found on the pages is very similar to this:

I did Google searches to find the infected links – which was kind of time consuming – and here are the ones I found so far:

jessicapussy.fileave.com
jessicapussy.fileave.com/Steam.exe
mfl-romania.net
www.fsl.ro/Yahoo-Killer.exe
fichier.2.je/fr/perso/
www.killerspro.com/server.exe
suburbeauty.freewebspace.com/
dl.dropbox.com/u/27788743/NET.exe
livepkstream.fileave.com/
livepkstream.fileave.com/svchost.exe
mypics.xx.lc
mypics.xx.lc/updater.exe
fundownloadsindia.com
fundownloadsindia.com/yahoo/c99.php?act=f&f=test1.exe
www.webcamview.biz.ly
dl.dropbox.com/u/30432380/working.exe
jasminswebchat4free.com
46.243.12.120/cam.exe
wetcat.asia.gp/webcam/
wetcat.asia.gp/webcam/Adobe_Flash.exe
xvidsxfree.fileave.com/cam-1625/
xvidsxfree.fileave.com/MEGAVIEW%20-%20Install.exe
oovoo.atspace.com
ythoa.fileave.com/becca.exe
faecbook.allcx.com
faecbook.allcx.com/test.exe
thereal360nba.fileave.com
thereal360nba.fileave.com/MegaUpload.exe
www.crazy-chat.co.cc
www.crazy-chat.co.cc/server.exe
dev-facebook.com
dev-facebook.com/flashplayer.exe
whoislilachbullock.com
whoislilachbullock.com/crclient.exe
steam-live.binhoster.com
dl.dropbox.com/u/30054903/explorer.exe
www.diamond-escort.us
www.diamond-escort.us/flashplayer.exe

All in all, you will eventually notice that most pages reuse the same template. They only need to update the link to the payload.

While this Java applet infection is not new (I remember documenting the “AMLMAFOIEA” Java applet), the use of the Webcam along with tempting pictures seems like a good combo to attract many unsuspecting users.

Jerome Segura

Leave a reply


Categories

THURSDAY, AUGUST 05, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments