The Legacy Sunbelt Software Blog

Cio-Cio San (Madama Butterfly) getting back at Pinkerton?

Someone using the handle “strelaoz,” (do a web search for it) claiming to be an ex-lover, has been leaving comment spam on hundreds of web sites “exposing” details of a romantic relationship and jilting by an exec at Symantec. The comments usually accompany news pieces about the company.

While comment spam is usually a nuisance, this defamation campaign takes the art form to a higher level than one usually sees. It is possible that the details are fiction and the campaign is simply an attempt to damage Freer and/or Symantec. It represents an Internet threat that could be very difficult to defend against.

In one post, there seems to be an oriental connection too – Chinese characters in the text:

If one reads the details, the back story appears to be vaguely similar to the plot of the Puccini opera “Madam Butterfly” (well, ok, it isn’t Japan and there’s no baby.)

Update: July 20:

Whoever is behind this appears to be using a Yahoo account under the name of Jennifer Yin:

http://pulse.yahoo.com/_J4EQHO7G3XRGON4P3Q33FVCJ2Q

(click to enlarge)

Nice work Mike.

Tom Kelchner

It can cost you $9.99 per month on your phone bill

There seems to be an increasing amount of Facebook spam that spreads by social engineering – which is tough to stop since it’s Facebook users who are being tricked into “liking” the site (and reposting the spam five times if they pursue the following.)

We’ve found a lot of them. This one’s typical. The whole point of the exercise is to trick you into giving away your phone number so it can be billed something like $9.99 per month and send five of your friends to the same site to do the same. Oh, and show all your Facebook friends that you “like” a spam site

First you get a message from a friend that looks something like this:

(click to enlarge)

The link takes you here:

(click to enlarge)

Note that somebody got paid (per click) for sucking in over 16,000 people on this one.

The gig is that you’re supposed to “like” this then share the text they give you.

(click to enlarge)

After you fall for that you “click here” to see who viewed your profile.

(click to enlarge)

Then the “verification” launches you into one of those endless surveys (you get a choice of six) the point of which is to collect your cell phone number so you can be billed $9.99 per month.

(click to enlarge)

And, if you’re running Firefox’s Adblock add-on to protect you from such crap, these folks will even help you disable it!!

(click to enlarge)

And after all that, here is your prize. Everybody seems to get the same one:

(click to enlarge)

Thanks Wendy and Matthew.

Tom Kelchner

There’s a website called “Tweet Unlock” located at tweetunlock(dot)com, which claims to be able to show you hidden content on Twitter. All you have to do is enter the Username of the target account and hit the button.

Click to Enlarge

Of course, it doesn’t work – and they want you to sign up to auto insurance quotes and a random offer served up by “Step 2”. Regardless of what you type into the box, you’ll be taken to a page not found message:

Click to Enlarge

If you have a private Twitter account, don’t panic – complete strangers won’t be digging through your messages for the time being.

Christopher Boyd

Regular readers of this blog will be familiar with those wonderful CPA Lead popups, which typically hide content until you fill in a survey. Well, here we have an interesting development in fake hacking program land. Shall we take a look?

Click to Enlarge

Above, you can see a huge dumping ground of files, directories and executables. It’s a bit of a maze, but generally speaking anything listed as a .htm page will contain an embedded Youtube video and an attempted download of an executable related to the Youtube content (in this case, “credit card generators”) from bestlinkfree(dot)com.

All of the Youtube videos appear to come from one account that currently has 141 hacking programs advertised:

Let’s fire up one of the many programs on offer and see what they do.

Click to Enlarge

This one claims to be able to hack any Twitter account. As you fire it up, a browser window opens up telling you to “connect to your victim account from here”. Enter a Twitter name into the box of the main application, hit the “Crack pass and email” button and your traffic will suddenly look like this:

Click to Enlarge

Fake hacking programs that pop a CPA Lead survey for you to fill in before the “hack” completes? Oh my.

All of these programs do exactly the the same thing – reach the halfway point of a non existent hack, then pop a survey or tell you to do one to get your hands on a database:

Click to Enlarge

I’d imagine building these survey popups into the fake applications would fool quite a few people.

Click to Enlarge

Of course, it’s a touch surreal if anyone actually believes a “VISA card software verification” requires you to fill in a survey but stranger things have happened.

In total, we collected fifteen of these files and they claim to hack everything from Twitter and Myspace to Facebook and online poker games:

It’s a huge scam, so of course we detect them all – however, things are a little lonely in detections land right now. VirusTotal is a little overloaded this morning, but currently the highest detection rate I can find is 3/42 for one of the Myspace programs. Hopefully those numbers will continue to rise – for now, it’s best to avoid all of the above files.

Christopher Boyd

Psychology today: “… money-grabbing pseudoscience.”

Parts of this country seriously need more science education.

There are stories running today about “I-dosing” — Kids inducing a state of ecstasy by listening to special MP3s.

The sources for the story include The Oklahoma Bureau of Narcotics and Dangerous Drugs and either Kansas or Oklahoma News 9 and either Kansas or Oklahoma Mustang Public School District (some people are just scraping news stories and aren’t checking sources.)

Wired is carrying the story “Report: Teens Using Digital Drugs to Get High”

To their credit, they categorize it as “ridiculous.”

The Psychology Today blog “You 2.0” by Ron Doy has some interesting insight:

“But really, Idozer (or I-doser as it is also known) is extremely old drug in a new package. And breathe easy my fellow parents—because it’s not really a drug—it’s binaural beat therapy.

“In 1839, Heinrich Wilhelm Dove discovered that two constant tones, played at slightly different frequencies in each ear, cause the listener to perceive the sound of a fast-paced beat. Calling this phenomenon ‘binaural beats,’ Dove helped launch two centuries of legitimate research and, as is almost always followed by exciting empirical study, money-grabbing pseudoscience.

“First, the facts: Binaural beat therapy has been used in clinical settings to research hearing and sleep cycles, to induce various brain wave states, and treat anxiety.

“But there are more controversial (dare I say dubious?) claims associated with binaural beats: Increased dopamine and beta-endorphin production, faster learning rates, improved sleep cycles, and yes, if you dig around less scientific communities like, oh, MySpace, you’ll find kids telling each other that ‘dude, those beats get you like totally high.’”

Blog here.

And some reports from ACTUAL USERS!!!

“Well. I certainly wouldn’t call my self “high” at the moment, but it certainly does something to say the least. Maybe the onset of a migraine.. fun. Oh, and now my hearing is all f****ed.”

— “Largely a droning noise”

— “searched for gates of hades n youtube…turned it off after about 5 seconds.”

— “Yah. It feels kind of like I took a hit off of a roach that had been sitting in someone’s ashtray for a half a year. Not high, just kind of sick and headachey. Lame.”

— “ya, I tried it to. Kind of disorienting hearing 2 different things going on in either ear, and when it got intense enough did distort my vision, but…I definitely wouldn’t call it ‘high’ :”

Thanks Wendy (God! Where do you find this stuff!)

Tom Kelchner

You CAN go to South Africa in Mafia Wars

Notice of a possible infection – which is really a false positive in AVG’s AV scanner –  in Zynga’s Mafia Wars game on Facebook has not only raised concern, it’s gone viral:

(click to enlarge)

http://www.areapal.com/social/news/United%20States/html%20framer%20virus

AVG’s answer:

ondraploteny wrote
Hi,

This looks like I have noted:
Please keep in mind that this false positive detection HTML/Framer is currently related only with mentioned files (www.google.com/recaptcha/api/js/recaptcha_ajax.js, BrowserCompAp.js), there still exists other websites (files), which really contain this type of infection.

Thank you
***************AVG Team

http://forums.avg.com/us-en/avg-free-forum?sec=thread&act=show&id=98485#post_98485

Thanks Wendy

Tom Kelchner

We’re not in Kansas anymore toto

An affiliate (or affiliates) of FLVDirect has apparently hijacked a domain name server and appropriated the name of a Kansas state government web site to redirect to the FLVDirect page.

*And is it not just Kansas.* There are several others including:

tubes-1111.yanceycountync.gov/1136.html
tubes-0611.uppersiouxcommunity-nsn.gov/1244.html
tubes-0511.woodfin-nc.gov/163.html
tubes-1011.dumontnj.gov/898.html

It also appears as though they or someone else has appropriated names of .gov sites to redirect to an adult dating site XXXBlackBook.com.

Our first example is emporia-kansas.gov:

(click to enlarge)

It redirects to the notorious FLVDirect adware site. VIPRE detects FLVDirect as Win32.FLVDirectPlayer.

(click to enlarge)

(click to enlarge)

It looks like their DNS has been hijacked and those sub domains point to servers that are
not under their control:

PING tubes-1911.emporia-kansas.gov (66.49.238.80)

whois 66.49.238.80

OrgName: Canaca-com Inc.
OrgID: CANAC
Address: 1650 Dundas St East Unit 203
City: Mississauga
StateProv: ON
PostalCode: L4X-2Z3
Country: CA

We found a number of other similar sites with.gov domains out there as well, all leading to XXXBlackBook.com or FLVDirect.com

(click to enlarge)

Adam Thomas and Tom Kelchner

…you could deface two library websites and play some music in the background. I guess.

Click to Enlarge

Both sites (hardinglibrary(dot)org and mendhamtownshiplibrary(dot)org) are sitting on a server with a huge number of library websites on it – however, only these two domains appear to have been defaced. The admins have of course been notified, and hopefully all of your book related needs will be back online shortly…

Christopher Boyd

Microsoft issued four security bulletins yesterday fixing vulnerabilities in:

— Microsoft Windows Help and SupportCenter (MS10-042)
— Microsoft Windows Canonical Display Driver (cdd.dll) (MS10-043)
— Microsoft Office Access ActiveX Controls (MS10-044)
— Microsoft Office Outlook (MS10-045)

The vulnerability in Help and SupportCenter, (MS10-042), was in the news last month when a researcher released proof of concept code which malicious operators then exploited. The vulnerability allowed execution of code from a malicious Web page or malicious link in an e-mail

Microsoft summary here.

The monthly updates also mark the end of Microsoft’s support for Windows XP Service Pack 2. Users should upgrade to XP SP3 or Win 7.

Tom Kelchner

Just because a site is a .gov doesn’t mean it’s safe from harm. A Chinese .gov portal that appears to be for tourism in the Hadian District of Beijing currently looks like this:

The homepage has been bumped out of the way in favour of the following fake login:

Click to Enlarge

The location of the phish in question is ns(dot)bjhd(dot)gov(dot)cn/update/, and it’s been reported to the admins.

Christopher Boyd

New vector for malicious links – WoW whisper message leads to keylogger

Our friend Douglas received a whisper (chat message) from someone using the handle “BlizzaICOL” while he  was playing WoW telling him that the beta is available for the new Cataclysm expansion for the WoW map. The expansion will make everything appear as though it’s on fire, being burned by a dragon. The “whisperer” also passed along a URL which led to Cataclysmtest.net (don’t go there) which APPEARED to be the WoW login screen.

(click to enlarge)

To see where this went, we entered a fictitious username and password and the site accepted it, meaning that it’s probably snatching login information. It’s a known phishing site (Firefox alert box below.)

(click to enlarge)

Another authentic-looking page (also tagged as a malicious site by Firefox) with a “download” button awaited at worldofwarcrayt.com (which as you can notice is one letter off from “worldofwarcraft.com.”

(click to enlarge)

Nice reproduction of the real thing:

Clicking on the “Download for PC” (don’t try this at home) we downloaded this – which turned out to be a Trojan that installs a key logger intended to steal passwords.

The Cataclysmtest.net domain was registered earlier in the month and whoever registered it either has a really obscene name or is faking it. The “,cm” country domain – Cameroon – is well known for malicious code, because it’s only one mistyped URL from the “.com” top-level domain. Operators there have set up a wild-card DNS record which will respond to any URL with a .cm domain. (More info here: http://en.wikipedia.org/wiki/Wildcard_DNS_record )

It appears the worldofwarcrayt.com domain was registered (in April) by the same person who used “ukukukuk”  in place of “usususus.”

Thanks Douglas and Wendy.

Tom Kelchner

Today, it was announced that Sunbelt Software has been acquired by GFI Software. The new combined entity will provide a wide range of security and infrastructure software solutions, both on-premise and in the cloud.

First, let me say that we’re thrilled to be part of the GFI team. Throughout our discussions and interactions with GFI, we have been continually impressed with their dedication to quality, customer service and superior performance throughout the company. Both companies are similar in their attitudes and practices with regard to customer service, product quality, strategic vision, organizational styles and culture.

On the technology side, the acquisition allows us to expand into several areas, which we believe are essential for us to grow as a company and continue to provide leading-edge technologies to our customers. These areas include vulnerability assessment, patch management, data leakage prevention, hosted/cloud-based technologies, and solutions for MSPs.

We have already identified a number of synergies between the products, and are working with the GFI team on these areas. These include putting our VIPRE technology into various GFI products (such as GFI MAX and GFI MailSecurity); and integrating GFI’s DLP technology and vulnerability/patch management into VIPRE Enterprise. More details will be forthcoming as we execute on the product roadmap.

In addition to the technology side, GFI provides additional resources in terms of capital, management expertise, systems and new markets that will continue to propel our products and our teams to the highest level of achievement possible.

For the time being, both companies are hard at work, integrating the various sales, marketing, finance, and technology teams. Our goal is to make the combination of the companies as seamless as possible to our customers and partners.

Our management team, including the product teams — Mark Patton (VP R&D), Eric Sites (CTO) and Bill Emerick (SVP Products and Services) — will continue with the new organization. I will be staying on as well, continuing to run the VIPRE business and other security offerings. Stu Sjouwerman, our co-founder, is retiring but will continue to be involved with our various publications (WServerNews, Win7News, and SecurityNews).

It’s an exciting day for us here at Sunbelt, and I believe sincerely that this acquisition was in the best interests of all parties — not only our shareholders and employees, but most importantly, our customers and partners.

Alex Eckelberry

Over the past month or so we’ve seen quite a lot of malware coming from sub-domains of DynDNS.com, which is a dynamic DNS provider. A typical link might look like this:

http://upogoteluqike.scrapper-site.net/1111111ggg/get.php?name=Anal_Porn_Movie_162.mpeg

(scapper-site.net is a DynDNS site.)

The sub-domains are changing every hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:

80.91.176.172

The files coming down are typically detected as Trojan.Win32.Alureon,
Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file.

WhoIS data for DynDNS.com:

DynDNS.com
Hostmaster, DynDNS <hostmaster@dyndns.com
1230 Elm St.5th Floor
Manchester, NH 03101

The list of their domains that we’ve seen being used by the bad guys closely matches the list of available domains you see on their web site in the dropdown box for “Free Domain Name.” The ones we’ve seen in particular over the last couple of weeks are:

boldlygoingnowhere.org
dnsalias.com
dnsalias.net
dnsalias.org
dnsdojo.com
doesntexist.com
dynalias.net
doesntexist.org
dvrdns.org
dynalias.com
dynalias.org
dyndns.biz
dyndns.tv
dyndns.ws
endofinternet.net
endofinternet.org
game-host.org
getmyip.com
gotdns.com
gotdns.org
hobby-site.com
hobby-site.org
homedns.org
homeftp.org
homelinux.com
homelinux.net
homelinux.org
homeunix.net
homeunix.org
is-a-chef.com
is-a-geek.net
is-a-geek.org
isa-geek.org
kicks-ass.net
kicks-ass.org
scrapper-site.net
scrapping.cc
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
servebbs.com
servebbs.org
serveftp.net
serveftp.org
servegame.org
thruhere.net
webhop.biz
webhop.info
webhop.net

It should be noted that DynDNS.com’s services and those of No-IP.com have been used to distribute a variety of malware over the past year, but these “anal porn” malware files are the most recent and noteworthy examples.

Free file hosting sites (e.g., Rapidshare.com, FileAve.com), social media sites (Facebook, Twitter), and blog sites have been and still are being exploited by the bad guys in similar fashion.

Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services.

Alex Eckelberry
(With many thanks to Eric Howes)

Update: Great response from the DynDNS abuse team, the situation is now under control.

“Ye Olde Facebook be an aid to findin’ and linkin’ with your crew…”

Funny:

(Click to enlarge)

Thanks Rodney.

Update 4:52 p.m. (EDT)

It belongs to Facebook according to Whois:

Thanks Francis

Tom Kelchner

Oracle has announced that it will push a Critical Patch Update tomorrow fixing 59 security vulnerabilities in hundreds of Oracle products. The pre-release announcement said 21 out of 59 vulnerabilities are in the Solaris product suite.

Vulnerabilities addressed by the update are in the following products:
• Oracle Database 11g Release 2, version 11.2.0.1
• Oracle Database 11g Release 1, version 11.1.0.7
• Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle TimesTen In-Memory Database, versions 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
• Oracle Secure Backup version 10.3.0.1
• Oracle Application Server, 10gR2, version 10.1.2.3.0
• Oracle Identity Management 10g, version 10.1.4.0.1
• Oracle WebLogic Server 11gR1 releases (10.3.1, 10.3.2 and 10.3.3)
• Oracle WebLogic Server 10gR3 release (10.3.0)
• Oracle WebLogic Server 10.0 through MP2
• Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
• Oracle WebLogic Server 8.1 through SP6
• Oracle WebLogic Server 7.0 through SP7
• Oracle JRockit R28.0.0 and earlier (JDK/JRE 5 and 6)
• Oracle JRockit R27.6.6 and earlier (JDK/JRE 1.4.2, 5 and 6)
• Oracle Business Process Management, versions 5.7.3, 6.0.5, 10.3.1, 10.3.2
• Oracle Enterprise Manager Grid Control 10g Release 5, version 10.2.0.5
• Oracle Enterprise Manager Grid Control 10g Release 1, version 10.1.0.6
• Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
• Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
• Oracle Transportation Manager, Versions: 5.5.05.07, 5.5.06.00, 6.0.03
• PeopleSoft Enterprise Campus Solutions, version 9.0
• PeopleSoft Enterprise CRM, versions 9.0 and 9.1
• PeopleSoft Enterprise FSCM, versions 8.9, 9.0 and 9.1
• PeopleSoft Enterprise HCM, versions 8.9, 9.0 and 9.1
• PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
• Oracle Sun Product Suite

Oracle July Critical Patch Update Pre-Release Announcement here.

Tom Kelchner

Twitter is filled with these “Free!!” deals (just search for the word “free” and see what slithers out.)

We clicked on the shortened URL in the tweet (you should NOT do this at home) and landed here:

So, why not try it? It has a privacy policy and addresses to opt out of the massive phone, SMS and email advertising that you’re signing up for (check the fine print.)

What information do you need to decide whether to try this or not?

1. READ the privacy policies, disclaimers and any other information on the page. Usually they’re on the bottom of the page in VERY small letters or grayed out. Cut and paste the text into a word processing program so you can see them. This one shoveled paragraph after paragraph at you clearly stating they were going to use your contact information for lots and lots of advertising and they were going to give it to all their friends and let them have a crack at you too.

2. Use a search engine to check out any addresses listed. Google street view is a help too. If the corporate headquarters is a billboard in London, you might be a bit leery about doing business with them.

We checked out the fine print, including two addresses in this one and got a bit suspicious:

Prize-Wave.com
Privacy Policy

http://track.prize-wave.com/Privacy.aspx?p=0f7b859ce29146c0b40c5b915b0c8eb8

SPECIAL OFFER SERVICE SUBSCRIPTION & EXPRESS CONSENT TO RECEIVE MESSAGES.

“To unsubscribe: You may cancel your SOS subscription and revoke your consent to receive calls at any time by either (a) utilizing the opt-out procedure included in any message you receive; (b) by sending an e-mail that includes your telephone number to optout@specialofferservice.com; (c) by calling 800-269-0281; or (d) by sending a written request to Worldwide Commerce Associates, 7251 West Lake Boulevard, Suite 300, Las Vegas, NV 89128.”

There doesn’t seem to be a West Lake Boulevard in Las Vegas, although there is a West Lake Mead Boulevard.

Delete/Deactivate Policy

“Users at any time may unsubscribe to our electronic mailings by following the instructions that we include at the end of every mailing. To correct, update or request that we delete information you provided, please contact us via email, or by writing

Prize-Wave.com
ATTN: CUSTOMER CARE
101-1001 W Broadway
Suite 765
Vancouver, BC V6H-4E4”

A web search for that address shows other businesses there have a V6H 4B1 (not V6H 4E4) postal code.

And Google Maps lookup has it as:
1001 W Broadway
Vancouver, BC V6H 4B1, Canada
|
Hmmm, a business that makes two mistakes in two addresses. I wonder if it’s real.

Tom Kelchner

Is it me or has the quality of trolls sunk to even more amateur levels?

And, clicking on the attachment (kids, don’t try this at home) we get:

Wow. Word 97! I guess this is a low budget operation.

From: Lotto Manager. South African 2010 World cup lottery online Lottery Headquarters: 210-211 Universal Building
Parkhaust, Balfour Unit 1440
Johannesburg, South AfricaBatch: (18/006/1094/LIPDA/SL.)
REF: (GFA/MMS/HWEAS/SA)

CONGRATULATIONS FOR YOUR WINNING:We happily announce to you the draw of South African 2010 World cup Bid lottery Award International programs held in Zurich, Switzerland. Your e-mail address attached to ticket number: (7017-4162-1018)

. . . blah, blah, blah

Also provide the following information and after fill this information of yours we will officially send you our verification that you are the winning,
NAME:………………
ADDRESS:………………….
NATIONALITY:……………
SEX:………………
AGE:…………….
PHONE/MOBILE:………..
FAX:……………………………
OCCUPATION:……………
COMPANY:………………… 

blah… blah… blah…

Signed: President Nelson Mandela (chairman)
Malefic OLIPHANT (President)
Chief Operations Officer Albert MOKOENA
Chief Executive Officer Danny JORDAAN.
N.B/email the Zonal co-coordinator for urgent verification of your clam, the name is Mr. Jim Parson

Nelson Mandela hasn’t been president of South Africa for 11 years.

Tom Kelchner

 

Microsoft has issued advance notification for the July patch on Tuesday. Four bulletins are expected.

Security bulletins will be issued for Microsoft Windows (two critical bulletins fixing vulnerabilities that could allow remote execution of code) and two for Microsoft Office (one critical and one important – both fix vulnerabilities that could allow remote code execution.)

The patches will include a fix for the vulnerability in Windows Help and Support Center (XP and Server 2003 only) that can allow execution of code from malicious Web pages or malicious links in e-mail (CVE-2010-1885). There were reports of the vulnerability being exploited after Google researcher Tavis Ormandy made public proof of concept code earlier this month.

This month also marks the end date for support for Windows XP SP2 and Windows 2000.

Tom Kelchner

Internet users in Australia are beginning to push back against Internet censorship with Web sites advocating political action as well as those giving instructions on the use of the Tor proxy network to avoid analysis by the censors

The country is considered to have the strictest censorship of any developed nation for video games and Internet sites hosted in the country. 

 

http://www.dontfilterme.com/ (Domain registered July 2)

http://openinternet.com.au/take_action/ (Registered February 2010)

http://nocleanfeed.com/ (Registered February 2008)

And, of course, as with all censorship schemes, stories detailing what exactly is being censored can get pretty strange:

January 28, 2010

http://www.inquisitr.com/59633/australian-government-censor-confirms-small-breast-ban-sort-of/

Thanks Alex

Tom Kelchner

If you’ve been keeping an eye on the news you’ll probably be aware of a chap called Raoul Moat. If not, all you need to know is that he’s popping up in articles with titles such as “Timeline of a gun rampage” – and there are more armed police walking around than you can shake a very large stick at.

They still haven’t found him, mind, but let’s move on to the security angle in all of this.

It seems our favourite friends the Blackhat SEO Poison Brigade are out in force, utterly trashing the Image Search results and filling them up with dubious links.

These are the very top entries from a basic search on “Raoul Moat” in Google Images:

Click to Enlarge

At time of writing, ALL of the image searches from the top line of Google Image Search will redirect you to serveradobe(dot)co(dot)cc. As you’ve probably guessed from the name, you’ll get a fake Flash “install this” prompt from the website in question, followed by an attempted download of a file called V11_adobe_flash.exe:

Click to Enlarge

Here’s the VirusTotal result for this one – currently a bit low, with 11/41 detecting it. We’re still examining the file, but a fake antivirus or similar shenanigans look likely.

We detect this as VirTool.Win32.Obfuscator.hg!b (v).

Christopher Boyd