Feb 20 2008
The Nautica clothing site in the Republic of China has been compromised by a malicious iframe that redirects to very well-known rogue anti-spyware pushers often associated with the Russian Business Network. If the site is searched on Google, the index listing indicates that “This site may harm your computer”.
So naturally, the first thing I do is check it out.
I was a little bit disappointed that all I found was an iframe redirect to meoryprof.info which 302′s to spywaresafe.net, which refused my connection. Initially I thought it was because I was using wget so I passed a valid looking IE user-agent string to it and was still refused. Google’s cache only shows the text “sl0n” on the site. Not very effective malware, I guess. Most of these fake anti-spyware programs don’t use packers, debugger detection or any anti-RE techniques. I have about 40 or so different versions of this type of malware.