[ISN] Zombie PCs exploit hookup site in 4Square-for-malware scam

From: InfoSec News <alerts_at_private>
Date: Wed, 9 May 2012 00:25:23 -0500 (CDT)

By John Leyden
The Register
8th May 2012

Security researchers have discovered a strain of malware that uses the 
geolocation service offered by an adult dating website as an easy way to 
determine the location of infected machines.

Thousands of infected machines in a zombie network all phoned home to 
the URL promos.fling.com/geo/txt/city.php at the adult hookup site 
fling.com, security researchers at Websense discovered. Analyst first 
thought the adult dating site was been abused as a botnet command and 
control channel.

Not so.

A more detailed look at the traffic from an infected machine revealed 
that JavaScript code built into the malware is dues to query fling's 
systems in order to discover the exact location - state, city, latitude 
and longitude - of infected PCs.

All indications are that Fling.com is not in on this. Instead, its 
unsecured geo-location services are being used as a kind of 4Square for 
zombie PCs. This information is "used by the botmaster for statistics or 
to give different commands to infected machines in certain countries," 
Websense explains. The security firm reports that in more than 4,700 
samples of these yet unnamed malware behind the attack have been 
submitted to its security lab to date.


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Tue May 08 2012 - 22:25:23 PDT

This archive was generated by hypermail 2.2.0 : Tue May 08 2012 - 22:23:19 PDT