Here's some malware that might be interesting (Day 360 is coming)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 24, 2009.

  1. Virus Guy

    Virus Guy Guest

    So I'm watching TV and there's this hokey commercial that I've seen a
    few times now of a cartoon guy that plugs himself in. No audio that I
    can remember, and some text that gets displayed at the end:

    Day 360 is coming

    I plug that into google and get this:

    -----------------
    DAY 360 IS COMING
    DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
    hours a day. ... Call 360- 569-2411 for information on ski rentals and
    lessons or ...
    www.svleonberg.de/?sid=day-360-is-coming - Cached
    -----------------

    That's the first hit. No other hits look even remotely close (lots of
    references to Xbox 360).

    So the hit is hot-linked to this:

    hxxp://www.svleonberg.de/?sid=day-360-is-coming

    Which takes me on a ride to a fake AV scan, which finally offers
    install.exe from here:

    hxxp://supercheckfree.com/downloader.php?affid=94800

    VT gets a hit rate of 12/40 on that one, calling it Koobface, Eldorado,
    Winwebsec, Kryptik (specifically) and FakeAlert, Fraudtool, and
    RogueSecurity (generally). No hits from Kaspersky.

    Can anyone explain how or what generated the stuff that google picked up
    that resulted in the rogue link being the first hit for this search?
    How exactly do these rogue links get so highly placed by google? Was
    this a coincidence, or was this TV commercial somehow linked to a
    mechanism to spread this malware via search queries?

    And I still don't know what the hell that TV commercial is all about...
     
    Virus Guy, Dec 24, 2009
    #1
    1. Advertisements

  2. Virus Guy

    Duh_Oz Guest

    ========
    Using FF, I got a "Reported Attack Site!"

    This web site at supercheckfree.com has been reported as an attack
    site and has been blocked based on your security preferences.
    ========

    With IE, the fake scan started up :)
     
    Duh_Oz, Dec 24, 2009
    #2
    1. Advertisements

  3. Virus Guy

    ASCII Guest

    With Opera I was given several authorization opportunities which I clicked
    through and then after selecting to accept the 33 infections the scan found,
    a balloon appeared in the tray exhorting my purchase of the registration to
    activate the cleanup. Since I didn't have a surplus of money, the scam went
    away denied along with the wiping of the sandbox.
     
    ASCII, Dec 24, 2009
    #3
  4. [...]

    Just as a FYI, the following appears as a clickable link in OE

    www.svleonberg.de/?sid=day+360-is-coming - Cached

    I know you care because of your obfuscation in the form of hxxp in the
    other references to that URL.
    Part of Google's algorithm rates URL's according to how many places link
    to that URL. This is why spamming of URL's is useful for spammers - it
    earns them a higher place on search engines that prioritize results by
    (apparent) popularity.
    It could be both as above, and the popularity by other media as you
    suggest. In this case it *might* just be coincidence, but I'm sure
    malware uses interference with other recent popular search queries.
    I haven't seen it, but you got me curious now too.
     
    FromTheRafters, Dec 24, 2009
    #4
  5. Virus Guy

    Virus Guy Guest

    Well, that's good to know - too bad that OE works that way.

    I've come across other links that takes you to the same malware:

    ----------------------------------
    » Einzeller: Der Türke on Air.. Ich hätte es fast vergessen ...
    .... jeremy steinke · black snuggie · day 360 is coming · i wish it was
    christmas today · galewher.com facebook · brett dennen · world chocolate
    championship ...
    www. blogoperium.de/.../oh-wie-geil-telefonterror-mitm-tuerke/ - Cached
    - Similar
    ----------------------------------

    hxxp://www.blogoperium.de/internet/oh-wie-geil-telefonterror-mitm-tuerke/

    --------------------------------
    DJ Hero Bundle ab 39,90€ inkl. Versand bei Amazon | abstauben24.de ... -
    [ Translate this page ]... jeremy steinke · black snuggie · day 360 is
    coming · i wish it was christmas today · galewher.com facebook · brett
    dennen · world chocolate championship ...
    www. abstauben24.de/.../dj-hero-bundle-ab-65-euro-inklusive-versand/ -
    Cached
    --------------------------------

    hxxp://www.abstauben24.de/amazon/dj-hero-bundle-ab-65-euro-inklusive-versand/

    The domains/sites seem to belong to the same server farm:

    www. svleonberg.de : 82.100.220.51
    www. blogoperium.de : 82.100.220.58
    www. abstauben24.de : 82.100.220.58

    If you want to see all the domains hosted on those various IP addresses,
    look here:

    http://www.robtex.com/ip/82.100.220.51.html#shared
    http://www.robtex.com/ip/82.100.220.58.html#shared

    I'm not sure if all those domains were set up recently to host this
    malware, or if this is a hijacked server farm.
     
    Virus Guy, Dec 24, 2009
    #5
  6. Virus Guy

    Virus Guy Guest

    Well, that's good to know - too bad that OE works that way.

    I've come across other links that takes you to the same malware:

    ----------------------------------
    » Einzeller: Der Türke on Air.. Ich hätte es fast vergessen ...
    .... jeremy steinke · black snuggie · day 360 is coming · i wish it was
    christmas today · galewher.com facebook · brett dennen · world chocolate
    championship ...
    www. blogoperium.de/.../oh-wie-geil-telefonterror-mitm-tuerke/ - Cached
    - Similar
    ----------------------------------

    hxxp://www.blogoperium.de/internet/oh-wie-geil-telefonterror-mitm-tuerke/

    --------------------------------
    DJ Hero Bundle ab 39,90€ inkl. Versand bei Amazon | abstauben24.de ... -
    [ Translate this page ]... jeremy steinke · black snuggie · day 360 is
    coming · i wish it was christmas today · galewher.com facebook · brett
    dennen · world chocolate championship ...
    www. abstauben24.de/.../dj-hero-bundle-ab-65-euro-inklusive-versand/ -
    Cached
    --------------------------------

    hxxp://www.abstauben24.de/amazon/dj-hero-bundle-ab-65-euro-inklusive-versand/

    The domains/sites seem to belong to the same server farm:

    www. svleonberg.de : 82.100.220.51
    www. blogoperium.de : 82.100.220.58
    www. abstauben24.de : 82.100.220.58

    If you want to see all the domains hosted on those various IP addresses,
    look here:

    http://www.robtex.com/ip/82.100.220.51.html#shared
    http://www.robtex.com/ip/82.100.220.58.html#shared

    I'm not sure if all those domains were set up recently to host this
    malware, or if this is a hijacked server farm.
     
    Virus Guy, Dec 24, 2009
    #6
  7. ======================================

    DAY 360 IS COMING:


    Support for Blackberry and Android devices is coming soon. ....
    Band game package complete with X-Box 360 and both of the custom Beatles
    guitar controllers, ...
    In preparation of its participation at the New Year's Day
    Tournament of Roses ... can be reached at
    or (360) 876-4414.
    "When you're getting rain every other day, it really limits in
    terms of ... "And in certain cases, that rain every other day was
    significant - 2 to 3 inches ...
    Where's that beautiful singing coming from? Then you hear another
    sound. .... there is scrubby grass and some slabs of rock to sit on and
    a 360-degree view. ...

    DAY 360 IS COMING





    (December 24, 2009, 05:18 PM) DAY 360 IS COMING

    =======================================
     
    FromTheRafters, Dec 24, 2009
    #7
  8. Virus Guy

    ASCII Guest

    Something to do with a new version of the X-Box game?
     
    ASCII, Dec 24, 2009
    #8
  9. Virus Guy

    ASCII Guest

    Simple to just change the dot before the domain to a comma,
    try it now.
    Works quicker than all the hypertext munging (hxxp) too.
     
    ASCII, Dec 24, 2009
    #9
  10. Virus Guy

    ASCII Guest

    All the more reason for a safely configured browser.
     
    ASCII, Dec 24, 2009
    #10
  11. There's probably some "oh so helpful" redering client that *fixes* that
    anomaly too.

    It sure was annoying in the binaries groups to have OE "searching for
    hyperlinks" in large text files on a slow processor. As if every
    commercial at symbol re@lly needed to *fixed* into a possible "mailto:"
    scheme URL. :eek:D
     
    FromTheRafters, Dec 24, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.