Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Here's some malware that might be interesting (Day 360 is coming)

0 views
Skip to first unread message

Virus Guy

unread,
Dec 23, 2009, 10:24:19 PM12/23/09
to
So I'm watching TV and there's this hokey commercial that I've seen a
few times now of a cartoon guy that plugs himself in. No audio that I
can remember, and some text that gets displayed at the end:

Day 360 is coming

I plug that into google and get this:

-----------------
DAY 360 IS COMING
DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
hours a day. ... Call 360- 569-2411 for information on ski rentals and
lessons or ...
www.svleonberg.de/?sid=day-360-is-coming - Cached
-----------------

That's the first hit. No other hits look even remotely close (lots of
references to Xbox 360).

So the hit is hot-linked to this:

hxxp://www.svleonberg.de/?sid=day-360-is-coming

Which takes me on a ride to a fake AV scan, which finally offers
install.exe from here:

hxxp://supercheckfree.com/downloader.php?affid=94800

VT gets a hit rate of 12/40 on that one, calling it Koobface, Eldorado,
Winwebsec, Kryptik (specifically) and FakeAlert, Fraudtool, and
RogueSecurity (generally). No hits from Kaspersky.

Can anyone explain how or what generated the stuff that google picked up
that resulted in the rogue link being the first hit for this search?
How exactly do these rogue links get so highly placed by google? Was
this a coincidence, or was this TV commercial somehow linked to a
mechanism to spread this malware via search queries?

And I still don't know what the hell that TV commercial is all about...

Duh_Oz

unread,
Dec 23, 2009, 11:26:08 PM12/23/09
to
On Dec 23, 9:24 pm, Virus Guy <Vi...@Guy.com> wrote:
> So I'm watching TV and there's this hokey commercial that I've seen a
> few times now of a cartoon guy that plugs himself in.  No audio that I
> can remember, and some text that gets displayed at the end:
>
>     Day 360 is coming
>
> I plug that into google and get this:
>
> -----------------
> DAY 360 IS COMING
> DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
> hours a day. ... Call 360- 569-2411 for information on ski rentals and
> lessons or ...www.svleonberg.de/?sid=day-360-is-coming- Cached

> -----------------
>
> That's the first hit.  No other hits look even remotely close (lots of
> references to Xbox 360).
>
> So the hit is hot-linked to this:
>
> hxxp://www.svleonberg.de/?sid=day-360-is-coming
>
> Which takes me on a ride to a fake AV scan, which finally offers
> install.exe from here:
>
> hxxp://supercheckfree.com/downloader.php?affid=94800
>
========
Using FF, I got a "Reported Attack Site!"

This web site at supercheckfree.com has been reported as an attack
site and has been blocked based on your security preferences.
========

With IE, the fake scan started up :-)

Message has been deleted

FromTheRafters

unread,
Dec 24, 2009, 9:16:23 AM12/24/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B32DEE3...@Guy.com...

[...]

Just as a FYI, the following appears as a clickable link in OE

www.svleonberg.de/?sid=day+360-is-coming - Cached

I know you care because of your obfuscation in the form of hxxp in the
other references to that URL.

> Can anyone explain how or what generated the stuff that google picked
> up
> that resulted in the rogue link being the first hit for this search?

Part of Google's algorithm rates URL's according to how many places link
to that URL. This is why spamming of URL's is useful for spammers - it
earns them a higher place on search engines that prioritize results by
(apparent) popularity.

> How exactly do these rogue links get so highly placed by google? Was
> this a coincidence, or was this TV commercial somehow linked to a
> mechanism to spread this malware via search queries?

It could be both as above, and the popularity by other media as you
suggest. In this case it *might* just be coincidence, but I'm sure
malware uses interference with other recent popular search queries.

> And I still don't know what the hell that TV commercial is all
> about...

I haven't seen it, but you got me curious now too.


Virus Guy

unread,
Dec 24, 2009, 10:06:52 AM12/24/09
to
FromTheRafters wrote:

> "Virus Guy" <Vi...@Guy.com> wrote in message
>
> Just as a FYI, the following appears as a clickable link in OE
>
> www. svleonberg.de/?sid=day+360-is-coming - Cached

Well, that's good to know - too bad that OE works that way.

I've come across other links that takes you to the same malware:

----------------------------------
� Einzeller: Der T�rke on Air.. Ich h�tte es fast vergessen ...
... jeremy steinke � black snuggie � day 360 is coming � i wish it was
christmas today � galewher.com facebook � brett dennen � world chocolate
championship ...
www. blogoperium.de/.../oh-wie-geil-telefonterror-mitm-tuerke/ - Cached
- Similar
----------------------------------

hxxp://www.blogoperium.de/internet/oh-wie-geil-telefonterror-mitm-tuerke/

--------------------------------
DJ Hero Bundle ab 39,90� inkl. Versand bei Amazon | abstauben24.de ... -
[ Translate this page ]... jeremy steinke � black snuggie � day 360 is
coming � i wish it was christmas today � galewher.com facebook � brett
dennen � world chocolate championship ...
www. abstauben24.de/.../dj-hero-bundle-ab-65-euro-inklusive-versand/ -
Cached
--------------------------------

hxxp://www.abstauben24.de/amazon/dj-hero-bundle-ab-65-euro-inklusive-versand/

The domains/sites seem to belong to the same server farm:

www. svleonberg.de : 82.100.220.51
www. blogoperium.de : 82.100.220.58
www. abstauben24.de : 82.100.220.58

If you want to see all the domains hosted on those various IP addresses,
look here:

http://www.robtex.com/ip/82.100.220.51.html#shared
http://www.robtex.com/ip/82.100.220.58.html#shared

I'm not sure if all those domains were set up recently to host this
malware, or if this is a hijacked server farm.

Virus Guy

unread,
Dec 24, 2009, 10:07:36 AM12/24/09
to
FromTheRafters wrote:

> "Virus Guy" <Vi...@Guy.com> wrote in message
>
> Just as a FYI, the following appears as a clickable link in OE
>

FromTheRafters

unread,
Dec 24, 2009, 11:25:00 AM12/24/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B32DEE3...@Guy.com...

> So I'm watching TV and there's this hokey commercial that I've seen a
> few times now of a cartoon guy that plugs himself in. No audio that I
> can remember, and some text that gets displayed at the end:
>
> Day 360 is coming
>
> I plug that into google and get this:
>
> -----------------
> DAY 360 IS COMING
> DAY 360 IS COMING: Crater Lake National Park is open year-round, 24
> hours a day. ... Call 360- 569-2411 for information on ski rentals and
> lessons or ...
> www.svleonberg.de/?sid=day-360-is-coming - Cached

======================================

DAY 360 IS COMING:


Support for Blackberry and Android devices is coming soon. ....
Band game package complete with X-Box 360 and both of the custom Beatles
guitar controllers, ...
In preparation of its participation at the New Year's Day
Tournament of Roses ... can be reached at
cchan...@portorchardindependent.com or (360) 876-4414.
"When you're getting rain every other day, it really limits in
terms of ... "And in certain cases, that rain every other day was
significant - 2 to 3 inches ...
Where's that beautiful singing coming from? Then you hear another
sound. .... there is scrubby grass and some slabs of rock to sit on and
a 360-degree view. ...

DAY 360 IS COMING

(December 24, 2009, 05:18 PM) DAY 360 IS COMING

=======================================


Message has been deleted
Message has been deleted
Message has been deleted

FromTheRafters

unread,
Dec 24, 2009, 11:59:05 AM12/24/09
to
"ASCII" <m...@privacy.net> wrote in message
news:4b349684.15369078@EBCDIC...

> FromTheRafters wrote:
>>
>>Just as a FYI, the following appears as a clickable link in OE
>>
>>www.svleonberg,de/?sid=day+360-is-coming - Cached
>
> Simple to just change the dot before the domain to a comma,
> try it now.
> Works quicker than all the hypertext munging (hxxp) too.

There's probably some "oh so helpful" redering client that *fixes* that
anomaly too.

It sure was annoying in the binaries groups to have OE "searching for
hyperlinks" in large text files on a slow processor. As if every
commercial at symbol re@lly needed to *fixed* into a possible "mailto:"
scheme URL. :oD


0 new messages