Mis-spelled domains can be rotten phish

The word of the day is…GOOGKLE! F-Secure recently reported that a visit to this mis-spelled Google URL resulted in all manner of nasty bug. And the implementation was either done by someone with a few more stripes than rank amateur, or by someone whose mother really really really didn’t hug them enough during childhood.

When an unsuspecting victim hits Googkle, they are first hit with two pop-up windows with embedded site redirects. Those sites, ntsearch.comOne of the sites, ntsearch.com and toolbarpartner.com, download and run files called “pop.chm” and “ddfs.chm”, respectively. These cute little scripts contain exploits themselves, which run embedded executable files. One downloads a file named “pic10.jpg” using an exploit. This JPG file is a disguised executable – it actually replaces Windows Media Player. The other attempts to install yet other .exe’s.

In summary, you mistype Google, and you wind up infected with a couple of Trojans that stir up DLL hell. An app-stealing proxy which is capable of spying on things like bank-related information, and a Trojan downloader that can retrieve and install yet more malware, is such a wonderful way to start the morning.

As it turns out, your grade school teacher was right. Learning your ABC’s (and your g’s and k’s) is important after all.

Also, I would like to make another thing clear – if you are running OS X, the whole damn mess just stalls when you hit the site – the operating system says “we don’t need no stinkin’ DLLs.”

Comments

Scott says:

Sounds fishy. How many people type google.com? Bookmark it, or auto-complete it, but type it from scratch? Non-story…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.