Wednesday, July 31, 2013

Malware using GoogleCode for distribution

Malware hosting sites rarely stay up for too long.  After the first few instances are seen by security vendors, they are added to blacklists which, in turn, are fed into other blacklists throughout the industry.  Malware writers are now turning to commercial file hosting sites to peddle their warez.  If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether.  The kicker is that this time we see that GoogleCode seems to have swallowed the bad pill.

The first file in question is hosted at: hxxps://code.google.com/p/onflashplayers/source/browse/AdobeFlashPlayer.exe


You may also recognize it by a few other names as seen here(21/45):
https://www.virustotal.com/en/file/12ba2c059963799fda3b48bce3d51f06940c7cdcb7b20559c752acdee2d43594/analysis/1375130106/

We also have reports of this file being downloaded via Dropbox, but it appears to have been taken down at the time of research




This incident sets a precedent that no file hosting service is beyond reproach.  Blind trust of specific domains should not be tolerated from an organizational or personal perspective.  So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location.

Other files from this location that were also flagged as malicious as noted below:
fc79708c4b5a7ac7ffc666c65af3d402 - 9/46
4372fa69e33307b8998447e3a79ed13a - 7/46
d9040e39cc4b9e2ce19dcb2fa26e2d36 - 17/46
93650214ef3c5e0f7fc657150fe4f670 - 13/46
9a85728e541c1dd34ec8ecca02f3ba92 - 6/46
f7dd919004cb65f89ae87f0360222f05 - 17/46
79bfcaf15acbb4f6e00df9f5e9e97078 - 4/45
6f197c2542933bb1a94916312f2075f7 - 5/45
a6a054ff40e24fe1e67230a4dec282cd - 21/46
9e49f709cd6df526cb261969a1239ef1 - 16/46
7d7b1329d25731c779fcd3ba41003cea - 9/46
86680f427e4c139f4112f506d8b2a770 - 21/46
3fd508edba21cb1c9f69e316828d8847 - 16/45
a1a66e2aadb4b4e231513f9e49166c72 - 16/46
3f8cd82f528fd7bd7635639583e4da09 - 22/46
5abbdd8b0f60e4ad80cd328d80fde7b9 - 12/46
3b1d052884949231f8a8ab927dffc0de - 5/46
e553a555c20a6a9caab15471fc147a4c - 8/46
38f148e53f44394911c6d876c6288407 - 5/46
3715ff5da288cfbb548b424722b664d6 - 6/46
04c3adff92b188dcfc0b944a457f3d74 - 5/46
4372fa69e33307b8998447e3a79ed13a - 7/46
fa694888e878efc6afb4e4781b007154 - 5/45
d256a34f4d9be8a74033c7bede40b2aa - 16/46
a842fcda221aaddd2fa21f77abaf91ce - 8/46
b4ee1ea0494f0800635e8d8398bc7779 - 22/46
7548f78f7e626403dd503421d1e6e42d - 6/46
d276561d27e2a343e2ace1fbbf9474e3 -  5/46
f951cfcfe8f293c2fa551297222fb37a - 13/46
9da48c984b71e26887b3c58f7a5c5d05 - 5/46
8fcb14b676fa0ecacbee92b702ce59b4 - 16/46
09e82c7811d1e155e6825a4aa98455bb - 8/46
3c76a70ffb42a9c2071b05bb0a430b5e - 5/46







No comments: