[funsec] verification
David Lodge
dave at cirt.net
Wed Jan 21 11:59:14 CST 2009
On Wed, 21 Jan 2009 03:08:06 -0000, RandallM <randallm at fidmail.com> wrote:
> While sitting on a myspace page it changes to:
>
> a warning about :http://sg11scanner.com/sg1/1/10219 (which was in the
> address bar). If I clicked on "why..." it took me to:
> (http://www.facebook.com/photo.php?pid=30252739&l=95d86&id=1274153615)
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://sg11scanner.com/sg1/1/10219
> (http://www.facebook.com/photo.php?pid=30252742&l=a136d&id=1274153615)
>
> If I clicked on the "ignore" I got taken to the site that was:
> http://www.facebook.com/photo.php?pid=30252743&l=56a2d&id=1274153615
>
> Any one brave tonight. I'm going to bed not feeling like playing.
Wget on Linux is the easy way ;-)
It's a fake up page to make it look like you have an infection. The
"magic" for downloading on the page itself is:
function doStartDownload() {
window.location="http://dlsgd3.com/spygd08/install.php?track_id=10219";
return;
}
<div class="errors_d"><a onclick="javascript:doStartDownload();return
false;" href="#"><img src="/images/sg1/error_detected.gif" alt=""
/></a></div>
So not very sneaky, as you get the a conventional download box. I'm not
really a malwarey type person, but the install for dlsgd3.com doesn't look
fluffy. It just seems to try social engineering, by trying to look like an
official MS message, so not much of a threat!
dave
More information about the funsec
mailing list