Friday, September 4, 2009

What 'Dr. Seuss Coloring Pages' and 'Red Spots on Face' Have In Common

A recent trend amongst malware distributors has been to bombard Google with loads of useless pages containing keywords and phrases that will put them high in search results for particular queries.  Sometimes these pages target recent news events, and sometimes they're about seemingly random things such as Dr. Seuss coloring pages (believe it or not, I've actually seen that specific example). In the search engine's text snippet previews, these pages appear harmless and perhaps even useful, but when an unsuspecting Web surfer clicks on one of these search result links, the page immediately redirects to a fake antivirus scan (a form of scareware), exploits, drive-by downloads, or other malicious content.  I uncovered just such a scam today while investigating an infected PC.

This page...

hxxp://rodrigoeastbury.moqxqpuxz .cc/red_spots_on_face_that_wont_go_away.html

...automatically redirected to a page on langlan .net, which redirected to a page at pconlinescan .net, which loaded a fake virus scan that to the novice user may appear to be an actual Windows security alert (click on the screenshot to see it full size):
The malware authors obviously designed this scam page to look like Windows XP's default blue theme.  (As you can see in this screenshot, even in a Mac browser the page looks the same.)  If the panicked victim clicks on the "Remove all" button (or, in fact, anywhere on the page—even the Cancel or red X buttons), malware is downloaded onto the machine.  This malware is not yet detected by most antivirus software, but I'm submitting a sample to multiple security vendors so it should be more widely detected within the next day or so.

File details courtesy of VirusTotal and VirSCAN:
File name: setup_build206_157.exe
File size: 263168 bytes
MD5 : aedd952609bd1c6056df337443fb951e
SHA1 : 8b09fa1e55e5e5501ed5b9f6833e71d04fb12b01
SHA256: 7b89c480f25f14b2bc744a141fb252d796bdcd90f77dcff7e4a8bce06963e508
Variously identified as: TR/Dldr.Fake.PS.14, Trojan-Downloader.Win32.FraudLoad.fkt, Trojan.Dldr.Fake.PS.14, Mal/Behav-321, TROJ_AGENT.PQAB, etc.
For more details regarding the malicious payload and associated domains, see:
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.


  1. ok, so here's my question. If you can't click on it to close it (because it activates it) how do you get it to stop running or get rid of it?

    Is it to ME< the task manager is totally a zoo to read, I'm SURE not for IT people, thank you very much.... (where as the old one, when you had something like that happen, it would show RIGHT THERE and you could take care of it) Trouble is, it might be wonderful for all you IT people out there that can read the task manager in all that detail, and know what you are reading, but I can't believe that I am the only one to feel this way about all this information we know nothing about now..good grief... Is it me?

    Windows defender picked it up (and I think deleted it) Half the people in the world probably don't even know NOT to even click on it. But how in the world do you end task when you don't know what you are looking for anymore...
    Frustrated at the new task manager...

  2. If you can't figure out which button is the real window close button, hold down the Alt key on the keyboard and press F4. This will close the frontmost window in pretty much any Windows application. To close the frontmost window on a Mac, hold down Command (the Apple logo or cloverleaf key) and press W.


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)