Now, this story is crazy. Because I am a subscriber for Google Alerts service (among the keywords there are trojan and virus) this evening I have received an email from Google Alerts looking like this :
You can see under Web section this URL address :
http://www.google.com/url?sa=X&q=http://wcbi.com/photos/img/free-download-anti-virus-trojan.php&ct=ga&cad=CAcQAhgAIAEoBDACOABArYfZ8wRIAVgAYgVlbi1VUw&cd=lbdH6A8
Qsxo&usg=AFQjCNG25qrHqtnmCKmhjW5UVTmn4X-xIw
which is intended to redirect to :
http://wcbi.com/photos/img/free-download-anti-virus-trojan.php
But instead the expected redirection, a malicious one take the place and users are redirected to a fake Megaupload website with this URL address:
http://download-upload2.com/index.php?key=anti%20virus%20trojan
Here an executable file is offered for downloading with the name 2_setup.exe, MD5: 26FF3373E2CB859DBE18E393797EB9B4 and size 231KB. It’s enough to submit this file to virustotal.com to understand what kind of file is this, here is the report. It has a detection rate of 12 /44 (27.3%) and once we see the report it’s easy to understand that it’s about ZeroAccess trojan, one of the most dangerous trojans able to hide itself in the operating system(it has rootkit abilities) and to infect the MBR(Master Boot Record).
It seems that another website got hacked http://wcbi.com/ (maybe via .htaccess file where malicious redirects can be initiated?) and again we have to deal with another Google search results poisoning, what I don’t understand is why this super-smart giant Google does not perform at least a summary analysis of the links it send to the customers, subscribers or visitors, if a malicious redirect is performed and what is the final destination of these malicious redirects. A such analysis theoretically can help to eliminate more quickly the malicious or problematic websites from the Google index. In the case exposed here we have served nothing more than a nightmare for computer users, the ZeroAccess trojan.
EDIT:
The malicious redirects seems to be endless. Today I received another email from Google Alerts including a link to another misconfigured(hacked) website leading to the same fake Megaupload site, http://download-upload2.com/index.php?key=anti%20trojan%20virus which is offering ZeroAccess trojan virus. The whole received URL address is:
http://www.google.com/url?sa=X&q=http://kampsight.com/images/softwareg/download-anti-trojan-virus.php&ct=ga&cad=CAcQAhgAIAEoBDACOAJAtqre8wRIAVgAYgVlbi1VUw&cd=ml7lyqtTG2Y&usg=
AFQjCNGwwUZh_2YJTEXqL2qusfK80k-cdw
and the website URL in question is:
http://kampsight.com/images/softwareg/download-anti-trojan-virus.php
Keep safe !
Leave a Reply