Blog Comment Spam Points to Drive-By Site

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

I just want to take a moment to thank the malware author who posted a spam comment to the Webroot Threat Blog blog the other day. You guys make my job so easy.

The spam comment, which reads Hello. I the beginner. I wish to show to you,scandal story and links to a drive-by download site, is a tremendous help to our researchers, who are always on the lookout for new threats.

Of course, the malware distributor could have employed a more effective hook to convince someone to click a link than the one he used.

The link claims to point to a page hosted on the free Blogspot blog site to a nude video — not of Paris Hilton, Venus Williams, or Erin Andrews — but of…Diane Sawyer, the respected, award-winning anchor of ABC’s World News Tonight.

Diane Sawyer Nude” — seriously? News anchor porn? Whatever happened to malware authors touting nude photos of starlets as an enticement?

The Blogspot page has a static image that looks like a streaming video player embedded in the page below a portrait of Sawyer, and the text Watch Diane Sawyer Nude: Click HERE. Click the “video” and you’re instead redirected to a Javascript file on the Web site, which redirected my computer to a page on another Web site, The Javascript appears to redirect users to different pages — 38 total, all named after slightly younger stars of stage and screen — presumably, depending on the subject of the comment spam.

In this script, Sawyer’s name gave way to those of somewhat younger actresses, including Mila Kunis, Elisha Cuthbert, Kristen Bell, Eliza Dushku, Summer Glau, Zooey Deschanel, Sarah Chalke, and Tina Fey, and 30 others. There’s the old, familiar social engineering we know and love hate.

You eventually land on a page for a Web site that calls itself Close Club Video, featuring another (entirely bogus) image that looks like another streaming video window.

But it didn’t matter which celebrity strikes your fancy: Each of the redirections lead to the same destination, a page which tries to push a fake Flash codec download to visitors from the domain The download process begins after a slick, also-fake animation of an Adobe Flash Player update alert message slides down the screen.

Click anywhere on the page, and you end up triggering the download of the fake codec:

The fake codec Web page is actually pretty amusing to play with. Most of the content — an animated GIF of an Ajax “loading” spinner, the number of “views” of the video — is static and unchanging.

But if you modify the query string in the URL, you can replace the text “Diane Sawyer sex tape” and get the page to display any text you like.

Unfortunately, the payload of the page is significantly less amusing.

The flash_video.exe payload (in repeat performances, the site delivered a file named flash_video_update.exe) was actually an installer of a file we classify to Trojan-DermoDNS, a modified version of the Trojan-Downloader-Dermo that downloads, in addition to an installer for Adware-Sabotch, a payload which modifies the DNS settings of the infected computer so it resolves IP addresses through a server in Russia instead of your local ISP—potentially giving the operator of that Russian server a way to subtly manipulate what appears in the browser on an infected computer.

Existing bulk-detection signatures are able to squelch the DermoDNS and Sabotch payloads, and all but one of the domains involved in the attack were already blocked in the desktop product’s Communications Shield at the time we discovered the scam. We’ve added the new domain to our latest definitions set.

But the best way to avoid an infection is to be smart about what you download and run. Refrain from running random applications. If you need to update the Adobe Flash player, head to the official Adobe download site to download the latest version, and don’t trust an unknown Web site that claims to deliver Flash to your PC.
wordpress blog stats

8 thoughts on “Blog Comment Spam Points to Drive-By Site

  1. I agree it is very stupid to install the fake pluggin but some guys at the company is stupid enough to fall for it. It is hard to find a good antivirus software with dump computer users. I can use my computer without antivirus for years and still virus free. But I have to keep searching for antivirus for my boss and colleagues so that they wouldn’t screwed up.

    • I call BS. What kind of “service” are you referring to? The service of infecting computers? The service of stealing personal information or turning PCs into botnet nodes?

      Face it, you’re a dimwit comment spammer who’s only trying to improve the search engine ranking of a housing development website in Arizona by posting a link to your website on the blog of a security company.

  2. Everything on this page (including your altered poster links) is gold. Now, naturally I am sitting here surfing for good backlink domains to feed a new website for my client… but I’ll refrain and use my legit info, since I actually try to provide legit feedback and you’re obviously not a tard. You understand, I’m sure… just playing the game.

    Anyway – warning – legit comment:
    Has anyone done a study on how much / what these guys rake in by doing this malicious crap? I understand that like 1 million grandmas a day fall for it, but what does that yield to these guys? There’s a decent amount of time involved with setting a tunnel/funnel up like the one described above, and I just don’t see the profit margins being worth it. Maybe it’s just to be malicious, i dunno.

  3. As businesses struggle to compete and succeed in an economy recovering from a global recession, they need solid information now more than ever. But the combination of a downsized workforce and an overreliance on manual processes driven by inadequate tools can force a potential sea change for business and finance. “People are spending too much unproductive time overcoming the inherent defects of spreadsheets,” says Kugel. “There is real value in automating with tools that can handle multiple dimensions and create scenarios quickly and easily

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s