SQL attacks: now using .MOBI domains and installing scareware

Everyday, I look through the domains we detect as Troj/Iframe-AG because they are the domains associated with the SQL injections that have been plaguing the web over the last few months (1, 2, 3 and 4).

This morning I saw three domains making use of the .MOBI TLD. The use of a .MOBI TLD is unusual and I was going to talk about all the possible new TLDs that people could use in the future (following the ICANN meeting last week). However, something more interesting was spotted.

Quickly visiting these sites to see is they were legitimate, we (Fraser and I) noticed that the root of each site attempted to load a script ‘AD.JS’. This in turn attempted to load another website – a fake anti-virus install site. The site pretends to do an online virus scan:


Subsequently, a bogus warning message is displayed, saying that one or more of the following have been detected:

  • Trojan.Bakloma.A
  • Win32.Gattman.A
  • Trojan.Zapchas.F
  • JS.Blackworm.A
  • Trojan.Tibs.E
  • Win32.Netsky.P@mm
  • Trojan.Winsys
  • Trackware.Adctech2006
  • Downloader.TrafficSector
  • Adware.Roings


After this, the user is encouraged to download and run an executable (installer.exe). This file is pro-actively detected as Mal/Packer.

If the installer was run, it installs more malicious files on the victim machine – pro-actively detected as Troj/FakeAV-AA.

Unlike, other examples of Scamware we have previously blogged about, this version does not seem to install any Mac related malware.