Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 25th, 2009

Gmail Downtime Exposes Attempts To Distribute Malicious Files And Phishing Attacks

During the Gmail downtime experienced yesterday cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users. During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. The page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. According to Trend Micro Researcher Loucif Kharouni, links in the said webpage also lead to malicious files.

The link “Really young good looking teenager-547b4.html” redirects to two different URLs. First, the URL hxxp:// {BLOCKED} prompts the download of a file detected as TROJ_PROXY.AEI. TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.

The second URL, hxxp:// {BLOCKED}, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. The link “The Dark Knight” leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files: c:autoexec.bat, c:boot.ini, c:ntldr, c:windowswin.ini.

It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.

The said Google Group was already deleted, and was reported up for about 25 minutes. This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.

Hours after the blackout, Gmail users were also hit with a widespread phishing attack. The malicious message spread via the Google Talk instant messaging chat system, urging users to a video by clicking on a link connected via the TinyURL service. The link points to a website called ViddyHo, which invited users to submit their Gmail usernames and passwords. The attack was more plausible because malign messages came via the instant chat system built into Gmail rather than by email directly.

TinyURL has blacklisted the site, rendering the attack inert, but that action is too late for those duped by the ruse, who now need to act quickly. “If you think you might have been duped, make sure you change your Gmail password immediately otherwise your entire address book and all your correspondence, including information that you may have archived about other online accounts, will quickly become rich pickings for the hackers,” warned Graham Cluley, senior technology consultant at Sophos.

Victims were urged to change their passwords before hackers have a chance to abuse their webmail account.

Credit: JM Hipolito, Technical Communications, TrendMicro

Credit: Graham Cluley, Sophos

Share this item with others:

More on CyberInsecure:
  • New Gmail Phishing Campaign Attempts To Steal Login Credentials
  • Targeted Attack Hits Chinese Gmail Accounts, Google Might Exit China
  • Google Adds User Enabled HTTPS Secure Connections Into GMail
  • Gmail Exploit May Allow Attackers Steal E-mails By Setting Forwarding Filters
  • Royal Bank of Canada Phishing

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Gmail Downtime Exposes Attempts To Distribute Malicious Files And Phishing Attacks

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.