SANS ISC: A little discussion on blog-hosted malware - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Tom Mercado over at TeMerc has posted some discussion around the increasing amount of malware showing up on Blogspot:

http://temerc.com/phpBB2/viewtopic.php?p=3427118&sid=a9a9ac1a1a681537c20fac3ebbfeba89#3427118

He has a couple of good links to further analysis and details that make it a good read.

Update

We've had an e-mail in today from Ian who highlighted a potential AV false positive which we are still looking at. However, it was interesting to note that this issue manifested itself into blogspot hosted malware.

(Warning Will Robinson, Malware Ahead)

hxxp://katuvideo.blogspot.com/2007/12/jssanza.html

which reports to host a video downloaded from hxxp://klikme.cn

which tries to download hxxp://katuvideo.blogspot.com/2007/12/jssanza.html which tries to download a binary, which has very poor VT pickup:

File install_video_3913230.exe received on 12.31.2007 13:13:31 (CET)
Current status:  finished
Result: 8/32 (25%)

 So, watch those wiered blogspots! This is just an example of how quickly the AV issue with CA Antivirus was used as a method to trick people into installing malware.