Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Saturday, December 29, 2007

Winter.exe comes in like a Lion

Earlier this month I started to see an increase in requests for a file name Winter.exe. I didn't have a good feeling about this filename and our follow up research proved I was correct. Our friend Temerc has a good write up on this infiltration at his forum, Temerc Internet Countermeasures. The other exe’s that appear to be included are infos.exe, autos.exe and a few randomly created filename. Fortunately, they all show up in WinPatrols’ startup programs list. The filename bronto.dll showed up in our IE Helpers list.

Google has done a good job at making it easy for people to create Blogs, but in many ways, it’s too easy. A huge number of Google Blogspot, blogs are being created and have become host sites for this file and other malicious programs. I wrote earlier his month that Spamhaus was blocking any Email which included a Google blog in the content of the message. This was a dramatic step but has proved to be necessary.

Trend Micro is referring to these blog traps as “Poisonous Blogs”. There are a number of ways you might get to these blogs including…

  • A link to the Blog is included in a teaser Email.
    (Typically, it’s a greeting card, free product, drug or naked celebrity. This week we’ve frequently seen what claims to be video of Bhutto’s assassination)

  • The blog might show up in a typical Google search.
    (These sites are too new to be validated by programs like SiteAdvisor)

  • You click on the “Next” button on a Blogspot site.
    (This feature is disabled on Bits from Bill)

Our friends at SunbeltBlog have also written about this topic and show how easy it can be to run across these blog traps. Alex at Sunbelt provided some good screen shots and stresses how video “codec” scams are frequently used as an malware entry point.

If you see a message that says “You need to download new version of Video ActiveX Object to play this video file”, run away! Don't press cancel or even trust the red close box in the corner. Press Ctrl-Alt-Del and look at your list of processes. Select your browser( iexplore.exe or firefox.exe) and click on End Process.

Labels: , , , ,

Share on Facebook


Blogger TeMerc said...

For those readers who don't go to read my write up, all you have to do with most of these blogs in my write up is land on the site, no interaction is required, this is a huge point.

The other sites require user interaction.

Thanks for the mention Bill!!

5:05 PM  
Anonymous Anonymous said...

Termerc I recently came across a strange thing on my blogspot when I go there with FF I don't notice this alert when I have gone to others. NoScript filtered a potential cross-site scripting (XSS) attempt for
[]. Is this part of what you are referring to?

7:01 PM  

Post a Comment

<< Home