These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

An Expected Surprise

A fellow researcher from the anti-virus community recently blogged about an alluring spam message, which was spreading through Facebook. The spam message, purported to be a surprise package from a friend, unsurprisingly, redirected the user to a website which hosts malware.

Digging around the domain name reveals minimal information on the domain registration date, the registrant’s information, etc. The Top Level Domain “.tk” geographically belongs to Tokelau, a territory of New Zealand. However, a whois on the domain name reveals that the IP address hosting the site belongs to Romania & that the domain is registered to an address in Amsterdam, The Netherlands. In addition, analyzing the malware itself reveals that it originated in Russia.

A Google search for the domain name reveals more URLs, which currently host the malware, and these URLs seem to follow a similar pattern:

http://surprise-[followed by 5 random characters].tk/surprise.exe

While most vendors now detect the malware, the sites serving the malware are still up and running.  K7TCL has notified the responsible authorities about the malware sites, but given the fact that the TLD .tk is known for its notoriety, the sites might not get taken down for a while.

Lokesh Kumar

Comments are closed.