Hundreds of thousands at risk daily
In my previous posts, I have talked about malware downloaded from everclipz.com and how they keep the anti-malware vendors guessing. The downloaded malware is not detected by a majority of the anti-virus software. Also of interest is how the site operates, since it gives us knowledge as to how malware distribution actually works.
How is the attack carried out: Search engine results are infiltrated by pages which purportedly show sex videos. These sites themselves do not have any malware, but the pictures link to another different webpage, the pictures of which then link towards a subdomain of everclipz.com which downloads a trojan disguised as an active X video player. The execution (running) of this file causes download of other files, which may, among other things, lead to disclosure of financial information and computer takeover by a remote person.
So, there are two “buffer sites” which lead on to the main exploit site. This is to guard against link scanners getting wise. The main site, full of explicit pictures, then gives the option of a codec, which then installs the malware.All the time, the main site,www.everclipz.com is never active, and never appears in any search results. This helps in keeping the site anonymous.
A search by whois showed the ip number to be 18.104.22.168, with the ip hosted in china.and two more domains associated Bestimagez.com and selectingz.com. What is frightening is that the ip address was registered just on the 29th of December, and within a space of 1 week, it has moved up to a daily Alexa traffic ranking of 2797. That means a traffic of a few hundred thousand per day. A few hundred thousand potentially infected computers per day. It is high time this site was put to an end.
Pictures: How to get infected: Click on the link
First link: Not infected, pictures link to a second non infected site
Picture: As you can see, the link scanner in the search engine did not pick up the site because it really did not have any exploits, nor was linked to one
Second link: Still no exploits, but the pictures link to a third site
The main exploit site: Note how precisely the picture simulating the pop up window is placed.
Clicking on the "window" leads to the appearance of a download dialog for the actual malware (setup.exe).
Finally, the frightening aspect: Notice how rapidly the Alexa traffic rank is going up. The number of people reaching the site now is estimated to be hundreds of thousands daily