Fake ImageShack site serving malware, links distributed over IM

Fake ImageShack site serving malware, links distributed over IM

Summary: In a combination of domain typosquatting next to spoofed image files, malware authors managed to successfully impersonate ImageShack, the 5th largest image hosting website on the Internet, the result of which is a malware campaign circulating over MSN, enticing users into infecting themselves by clicking on the spammed links to fake image files.

SHARE:

In a combination of domain typosquatting next to spoofed image files, malware authors managed to successfullyImageShack impersonate ImageShack, the 5th largest image hosting website on the Internet, the result of which is a malware campaign circulating over MSN, enticing users into infecting themselves by clicking on the spammed links to fake image files. This currently active IM malware campaign is yet another indication that the "don't click on executable files" security tip is on the verge of irrelevance. Social engineering, however, isn't, since impersonating ImageShack to serve fake images which are in fact trojans turning the infected hosts into zombies is a well coordinated social engineering campaign combining several difference tactics.

The real ImageShack site is imageshack.us, however, the malware authors are impersonating ImageShack and using imageshaack .org, in particular imageshaack.org /img/Picture275.jpg, which is where the malware is. Once the user gets infected with the malware, Backdoor.Win32.SdBot.eiu in this case, the host joins an IRC channel where the botnet masters continue issuing commands for the campaign to spread, like the following :

!msn.msg lool!! :D http ://imageshaack.org /img/Picture275.jpg  |!trition.msg lool!! :D http ://imageshaack.org/img /Picture275.jpg  topic set by Everglades on Wed Jun 11 15:41:57

"!msn.msg Haha is that you;)? http ://imageshaack.org /img/Picture275.jpg?|!trition.msg http: //imageshaack.org/img /Picture275.jpg

Until the site gets shut down, consider being extra vigilant on IM messages received, and while this is a bit more creative social engineering attack then the majority of average ones I've seen this month, non-executable files are apparently just as dangerous as executable ones.

Topics: Malware, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • virustotal.com analisis

    http://www.virustotal.com/analisis/77e5f399904669ee6282425fa9633689#
    qmlscycrajg
  • "Win32"

    If a virus/trojan has "win32" in the name assigned to it by the security community, is it safe to assume that it only affects Microsoft Windows?
    RestonTechAlec
    • Yep

      Has anyone repoirted malware for any other platform recently?
      epcraig
  • RE: Fake ImageShack site serving malware, links distributed over IM

    Is the download really an infected JPG? If so, are all rendering engines equally affected?
    cburkitt2