Piggybacking on known and trusted brands is something we have discussed before on the blog. Today, SophosLabs saw another example. Can you spot the legitimate site from the two screen shots below?
The first is the regular Google search page. The second, is a screenshot from a malicious site we came across today. Looking at the source for the page gives the first indications of its suspicious nature:
When this script was initially analysed, the
zin.exe trojan was undetected. It is a binary compiled from a malicious AutoIT script, detection for which is being added as I write.