googkle.com

[dsfreak]

Source: f-secure.com

F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked - a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.

The name of the malicious website is 'Googkle.com'. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.

Detailed Description

Our investigation revealed that the whole infection starts from the 'googkle.com' website. This website, as well as a few related websites are owned by people with Russian names. Also several malicious files that are downloaded from these websites have Russian texts.

When the 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the following websites:

www.ntsearch.com
toolbarpartner.com

The 'ntsearch.com' website downloads and runs the 'pop.chm' file and the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces Windows Media Player application.

In addition these websites launch a stream of webpages with different exploits than end up in downloading and running 2 files from the 'daosearch.com' website:

web.exe
classload.jar

See the description of these files below.

As far as the JAR archive is concerned. the actual malware functionality is in Installer.class, which downloads file from the same location as the JAR file is being loaded.

First the applet looks for filename to download from Applet parameter ModulePath (is specified in the HTML tag). If the parameter is not specified the applet defaults to msxmidi.dat.

After the file is downloaded the applet gets the location of Windows directory with GetWindowsDirectory() and saves the downloaded executable as 'web.exe' and executes it.

As said above, two CHM files get downloaded and activated on a computer. The 'pop.chm' file drops the 'sp.exe' file and runs it. The dropped 'sp.exe' file is detected as 'Trojan.Win32.Spooner.f'.

The 'ddfs.chm' file drops the 'frame.exe' file and runs it. The 'frame.exe' file is a trojan downloader that is detected as 'Trojan-Downloader.Win32.Small.apf'. It has the functionality to automatically reply to security questions asked by Windows to ensure that its process has connection to Internet. This downloader downloads and runs the following files from the 'toolbarpartner.com' website:

xz.exe
ggl.exe

The 'xz.exe' file is a trojan dropper that is detected as 'Trojan-Dropper.Win32.Small.vv'. It drops a DLL named 'winloadhh.dll', detected as 'Trojan-Downloader.Win32.Small.anu' to the root folder of C: drive. This DLL is another downloader that connects to 2 different websites to get the list of files to download:

toolbarpartner.com
sturfajtn.com

Last time we checked these sites, they contained the following list of files to download:

The 'sturfajtn.com' website:

next3.exe
next1.exe
next2.exe

The 'toolbarpartner.com' website:

ggl.exe
svchosts.exe
proxyrnd.exe
ldr.exe
toolbar.exe
inst.exe
winran.exe

These files are currently detected as follows:

next1.exe: Trojan-Spy.Win32.Banker.jk
next2.exe: Trojan-Proxy.Win32.Small.bh
next3.exe: Backdoor.Win32.Zins.c
ggl.exe: Trojan-Dropper.Win32.Small.vn
inst.exe: Trojan-Dropper.Win32.Small.wp
ldr.exe: Trojan-Downloader.Win32.Agent.lv
proxyrnd.exe: Backdoor.Win32.Jeemp.c

So as you see, a nice malware package get installed on an affected computer: 2 backdoors, 2 trojan droppers, a proxy trojan, a spying trojan (that steals bank-related information) and a trojan downloader.

The 'winran.exe' file that is downloaded from 'pillz.info' website is a trojan dropper. It copies itself to Windows System folder with a random name and drops a DLL also with a random name to the same folder. The DLL modifies HOSTS file to block connection to the following websites:

downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
download.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com

The 'svchosts.exe' file is a trojan dropper. It drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop. The alert looks like that (original spelling preserved):

VIRUS ALERT!
YOUR PC IS INFECTED!

IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!

The consequences of spyware and virus presence on your pc might belike:
loosing all the data, data might be stolen, your secrets might beexposed.

PROTECT YOUR PC!
REMOVE ALL VIRUSES NOW!

This fake alert is created by placing the HTML file on a desktop, so a user could click on the alert and go to a pre-defined website. The link from this fake alert points to the following website:

topantivirus.biz

This website offers links to different websites that offer anti-virus and spyware cleaners for download. The motto of this site is 'Top Antivirus - We help people.'. Unfortunately the way people are directed to that website is somewhat deceptional.

The 'toolbar.exe' is an adware installer, that installs an adware toolbar known as 'Perez'.

The 'pic10.jpg' file is a trojan dropper similar to 'frame.exe'. It also drops a DLL named 'winloadhh.dll' to the root of C: drive. This DLL has the same functionality as the DLL, detected as 'Trojan-Downloader.Win32.Small.anu' mentioned above.

The 'web.exe' file is also a trojan downloader that is identical to the 'pic10.jpg' file described above.

HOLY SHIZNET!

[CoolFinalFan]

wow thatz some crap there and to think somebody actually has the time to do this crap....!
:roflwerd:

[dsfreak]

Yea, just remember: ALWAYS CHECK YOUR SPELLING...... espically of GOOGLE>>>>> If ya don't, your computer will get killed, then will come back and KILL YOU!

[kaozskyblade]

Omg, I didnt know that. Damn Russian hackers and their love for misspelled web pages (sorry if i offend anyone here

[hartap]

sometimes we need stuff like that, make us learn more to be carefull

[Nate_Benton]

*Has a linux box, goes to googkle.com*

EDIT: it must have been removed...

[Matthews255]

lol.

first thing when i get too school

googkle.com

[redtailblackshark]

that site dosn't even work anymore, this is old news.

[mgbenz]

I always thought typos were dangerous and this proves it.

[ZeptOr]

lol.

first thing when i get too school

googkle.com

rofl!

i remeber this website that worked just like google only everything was upside down or something crazy like that