March Madness Malware

The previous post spoke about the increase in frequency to sports related websites from corporate users because of March Madness. A follow on question: are there any associated security risks from this? While browsing to some well-known sports sites is of negligible risk, several Google searches for some NCAA / March Madness terms reveal malicious results:


Following the search result causes redirection to occur:

Which loads a Fake A/V page:
Which is detected by 9/42 anti-virus vendors.

In addition to this Google SEO example, Zscaler blocked and logged this malicious NCAA site:
hxxp://ncaa-bracket-2010-update.bitterrootjrfootball.com


which loads an obfuscated JavaScript file: /styless.js
which after some decoding, redirects to this flash file:
hxxp://ncaa-bracket-2010-update.bitterrootjrfootball.com/?ncaabracket2010updatencaabracket2010updatebitterrootjrfootballcom.swf

This is the Wepawet report for the flash file, and the VirusTotal (6/42 detection) report.

The flash file contains obfuscated JavaScript redirector:

Decodes to:
the document.location.search provides the query string portion of the URL.

Safe Browsing results (Google, Norton) show a handful of fake NCAA related sites that load Fake A/V:
hxxp://st-mary-s-basketball.bitterrootjrfootball.com/
hxxp://espn-bracket-picks.bitterrootjrfootball.com/
hxxp://siena-university.bitterrootjrfootball.com/
hxxp://nit-tournament.bitterrootjrfootball.com/