Spot the Difference

Piggybacking on known and trusted brands is something we have discussed before on the blog. Today, SophosLabs saw another example. Can you spot the legitimate site from the two screen shots below?

[Default Google search page]

[Malicious site masquerading as Google page]

The first is the regular Google search page. The second, is a screenshot from a malicious site we came across today. Looking at the source for the page gives the first indications of its suspicious nature:

Source from malicious site

The page money.html (detected as Mal/ObfJS-H) contains an obfuscated JavaScript script that attemts to exploit a browser vulnerability (MS06-014) in order to silently download and execute a Win32 trojan.


When this script was initially analysed, the zin.exe trojan was undetected. It is a binary compiled from a malicious AutoIT script, detection for which is being added as I write.