Wednesday, April 17, 2013

Fake SourceForge site distributes malware

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site SourceForge.

sourceforgechile.net was registered on 04/05/213 in the US and is hosted in the Ukraine.

One of the malicious files downloaded was hxxp://sourceforgechile.net/minecraft_1.3.2.exe. Minecraft is a proprietary game with a significant following. Many open-source projects related to the game are hosted on SourceForge.

This file is a pretty nasty piece of malware:
  • It hides itself in the Recycle Bin
  • It disguises dropped files with names like Desktop.ini
  • It registers itself as a Windows service
  • It injects code in other threads and DLLs
  • It opens and listens to a port
  • It connects to about 20 IPs over port 16471
  • etc.
This malware is related to the ZeroAccess trojan. The malware makes money by clicking on ads (click fraud) and using the infected PC as part of a wider botnet (zombie PC).

You can get the VirusTotal report here. The detection rate among AV vendors has gone up in the past week, it is now flagged by most vendors.

As usual, be very careful about the files you download and run. In this case, ensure that you're downloading content from the official SourceForge site, not a clone.

No comments: