TrustedSource™ Blog

Digging for Worms

One of today’s popular Web 2.0 sites is without doubt digg.com, where people can share and discover content on the Internet … the so called “user-generated content”. The community decides what’s popular by “digg” or “bury” it and then brings content to the front page where an even bigger audience can be reached. But since everyone is free to place links on Digg, malware authors try their luck as well, promoting links to malicious content.  

In a recent sample a new entry for an “Emma Watson” video showed up and the posting promises more celebrity videos and celebrity gossip. When a user falls pray to this simple social engineering trick and follows the link, a web site like the following is shown.

On a first glance the site looks legit and includes several celebrity videos from another Web 2.0 site, “Metacafe”. But a closer look reveals that also an additional IFRAME is loaded, which leads to obfuscated JavaScript which tries to install malware silently.

This malware is able to spread to any removable disks or USB sticks connected to the victim’s PC, by creating an executable named “autorun.exe” and a “autorun.inf” on these media drives which will then be executed if you put the infected drive into another Windows PC where Autorun functionality is enabled by default. The malware also looks for popular peer-to-peer applications like “eMule” and “DC++” on the victim’s computer and copies itself to the shared folder using different fake names such as “AOL Password Cracker.exe” and “Counter-Strike KeyGen.exe“.

The Secure Anti-Malware Engine blocks the malware proactively as “Win32.Malware.gen”, and an exact detection “Worm.Autorun.nar” has been added. The Secure Anti-Malware Engine can also be used to proactively block infected PCs, like from mobile workers, from phoning home the stolen credentials.

Watch out while surfing the new Web 2.0 world and don’t follow every link.

Back to TrustedSource™ Blog overview