Sophos Cloud Optix
One of the most difficult types of malware SophosLabs analysts face is the ones that appear to do nothing. Last week a colleague came across a file that appeared to do nothing and ask me to help dig deeper.
He found what looks like JavaScript in the Code Section
The rest of the code manipulates what Internet Explorer sees and will insert this JavaScript into pages.
The JavaScript is heavily obfuscated and decodes to:
So far SophosLabs have seen 7 different domains used by variants of Troj/BHO-MQ all of which use
/fcontent/index.html. The websites linked to are all Russian porn sites with the following enticing graphics.
Why is the Trojan doing this? I suspect that this Trojan is part of pay-per-click scam and is used to generate revenue for a hacking gang.