A funny thing happened on the way to the forum

Looking through my feeds this morning I spotted this amusing story on the Sunbelt blog.

The forum, on a site about malware affecting Apple Macs, is littered with pornographic posts. A not uncommon occurrence for badly managed/patched/updated sites. What was funny about this particular site was that if you were to follow some of the links on a Macintosh you would be prompted to install OSX/RSPlug-Gen (a piece of malware for Mac OS X) and on Windows Troj/Zlobar-Fam. Though I couldn’t confirm this behavior myself, see below, there was enough evidence for me to believe it as the distributors of Zlob have done this before (see blog).

When I tried to follow the forum posts to try to download the malware I found that I was blocked and my download redirected to Google.

Connecting to xxxxxxxxxxx.cn|xx.xx.xxx.x|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.com [following]
--12:02:41-- http://www.google.com/
=> `www.google.com/index.html'

This is quite a common trick, a one-time only download from an IP or IP range, that distributors of malicious software use to hide their tracks. Upon seeing this trick I tried something else.

I investigated the person who had posted the messages on the forum:

Joined: 12 Feb 2008
Total posts: 5
[0.06% of total / 0.18 posts per day]
Find all posts by GxxxxBxxxxxx
Location: ISRAEL

(Note: The name of the poster has been anonymized with the letter x.)

Searching Google for this person I found that they had joined many more forums around the beginning of February. The location and some details did change but the content of the posts didn’t.

Subjects include:

  • Movie: Britney Spears Sex Tape Free Movie from RxxPxxxxTxxx.com
  • Movie: Britney Spears+ Visable Vxxxxx from RxxPxxxxTxxx.com
  • Movie: Britney Spears No Underwear Pic Not Censored from RxxPxxxxTxxx.com
  • Movie: Britney Spears Txxx Expanding from RxxPxxxxTxxx.com

The majority of the forums had either not been posted to or the posted had been removed. However, the roll call of sites includes a UK City Council, a wedding website, numerous online gaming sites and other diverse forums. The number of hits, according to a rough Google search, is 800.

PHPBB forums have ‘something for everyone’ good security procedures will ensure that they don’t have something for malware distributors.