Infected
This is the story of a Google search turned ugly by malware, only to be
thwarted itself by Linux.
Project Wal+Mart Freedom was
picked up on The Consumerist,
and for a few days afterwards I kept track of its propagation on Google.
One particular link caught my eye, walmart.cyprusgloballogistics.com.
The subdomain and company name made me think that they kept track of the
developments of international corporations, which sounded like good intel,
so I clicked the link. And lookie what happened.
Obviously no good was coming from that site. I noticed some status bar
shenanigans, so I hit up wget for a quick view of what was going on behind
the browser.
From walmart.cyprusgloballogistics.com, to bestsexworld.info to xpantivirus.com.
Suuurrre, that was legit. Was that x panti virus or xp antivirus?
Regardless, I had to stay focused because my machine was on the verge of
compromise. Or not.
I learned that any subdomain of the shady cyprusgloballogistics.com took a
user for a ride. I planned to click each affirmative to see where I assumed
it went.
After the confirmation pop-up, I was taken to the hook portion of the trip,
which was some JavaScript that "scanned" my computer for viruses
and the like. Oh, and surprise, I was infected.
I clicked "Remove All" to stay with the affirmatives and the page
greeted me with instructions on what to do with the exe I was downloading,
XPantivirus2008_v880064.exe.
Useless on Linux, to be sure.
(Note that the last link is the malware. So don't click it, Windows
users, unless you know what you're doing. Hey, I gotta keep up my red status on
SiteAdvisor.)
Of course with Linux, that's where the story ends. But think of all the
Windows users this dupes, understandably so. Things happened fast. The site
looked legit. You can't blame the users. You can't blame anyone. You can
only fix the problem. Use Linux or
OS X. From the
malware authors
themselves, use Opera. And most
importantly, educate your family and friends.
Other Resources
First Rogue Cleaning Tool for Mac
SUPERAntiSpyware
