A funny thing happened on the way to the forum

0 Apple, Malware, SophosLabs
by

Looking through my feeds this morning I spotted this amusing story on the Sunbelt blog.

The forum, on a site about malware affecting Apple Macs, is littered with pornographic posts. A not uncommon occurrence for badly managed/patched/updated sites. What was funny about this particular site was that if you were to follow some of the links on a Macintosh you would be prompted to install OSX/RSPlug-Gen (a piece of malware for Mac OS X) and on Windows Troj/Zlobar-Fam. Though I couldn’t confirm this behavior myself, see below, there was enough evidence for me to believe it as the distributors of Zlob have done this before (see blog).

When I tried to follow the forum posts to try to download the malware I found that I was blocked and my download redirected to Google.


Connecting to xxxxxxxxxxx.cn|xx.xx.xxx.x|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.com [following]
--12:02:41-- http://www.google.com/
=> `www.google.com/index.html'

This is quite a common trick, a one-time only download from an IP or IP range, that distributors of malicious software use to hide their tracks. Upon seeing this trick I tried something else.

I investigated the person who had posted the messages on the forum:

Joined: 12 Feb 2008
Total posts: 5
[0.06% of total / 0.18 posts per day]
Find all posts by GxxxxBxxxxxx
Location: ISRAEL

(Note: The name of the poster has been anonymized with the letter x.)

Searching Google for this person I found that they had joined many more forums around the beginning of February. The location and some details did change but the content of the posts didn’t.

Subjects include:

  • Movie: Britney Spears Sex Tape Free Movie from RxxPxxxxTxxx.com
  • Movie: Britney Spears+ Visable Vxxxxx from RxxPxxxxTxxx.com
  • Movie: Britney Spears No Underwear Pic Not Censored from RxxPxxxxTxxx.com
  • Movie: Britney Spears Txxx Expanding from RxxPxxxxTxxx.com

The majority of the forums had either not been posted to or the posted had been removed. However, the roll call of sites includes a UK City Council, a wedding website, numerous online gaming sites and other diverse forums. The number of hits, according to a rough Google search, is 800.

PHPBB forums have ‘something for everyone’ good security procedures will ensure that they don’t have something for malware distributors.

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.