Monday, March 16, 2009

Malware knows where you are

Sitemeter logs show the IP address of people reading this blog. Geo-IP can translate this into a physical location.

Malware is starting to use this for targeted attacks:
A new variant of the Waledac worm uses an email message claiming a "dirty bomb" explosion in order to tempt the gullible into visiting a maliciously-constructed website posing as the homepage of news agency Reuters. This website uses a GEO-IP lookup to customise the story so as to appear that the explosion appeared in a city or location near the surfer viewing it.
Of course, the link in the email points you to a web site that tells you that you need to download something to "view the video". The download is the malware package.

We've been seeing advances in this sort of Physhing technique for several years, as the Bad Guys use psychology graduates to craft a more effective message.

Any time you're told that "you need to down load xxx" to view a video, you're under attack.

3 comments:

the pistolero said...

Why the hell would anybody wanna go there? They don't call it al-Reuters for nothing, you know... ;-)

Bob said...

Any time you're told that "you need to down load xxx" to view a video, you're under attack.

Hmm, Mozilla Firefox told me I needed to download Apple Quicktime to watch a video at Hot Air. Am I under attack?

;-)

Borepatch said...

Bob, it depends. If you know that you have Quicktime, and you're told that you don't, then it's malware. If you go to apple.com to install it, and then are told that you need to install it, you're under attack.

I would think that hotair is a reputable site, but they probably don't have any control over their ads.

My recommendation is to go to apple to get quicktime. If this is above board, you won't get prompted again.

If you do, please send me a link via email, and I'll take a closer look.