Spot the Difference

Filed Under: SophosLabs

Piggybacking on known and trusted brands is something we have discussed before on the blog. Today, SophosLabs saw another example. Can you spot the legitimate site from the two screen shots below?

[Default Google search page]

[Malicious site masquerading as Google page]

The first is the regular Google search page. The second, is a screenshot from a malicious site we came across today. Looking at the source for the page gives the first indications of its suspicious nature:

Source from malicious site

The page money.html (detected as Mal/ObfJS-H) contains an obfuscated JavaScript script that attemts to exploit a browser vulnerability (MS06-014) in order to silently download and execute a Win32 trojan.

std-dec

When this script was initially analysed, the zin.exe trojan was undetected. It is a binary compiled from a malicious AutoIT script, detection for which is being added as I write.

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.