Botnet farmers play the international exchange game Spyware authors are prepared to pay botnet farmers or webmasters much more for infecting PCs in the UK or Australia than machines in continental Europe. Selling "installs" is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet …
Just make up a fake one that emulates lots of real malware but doesn't send anything of interest back to the "mother ship". Then they send you $$$ (am I dreaming?) and they get nothing.
Just the ticket. Malware for the malware people. Similar to click fraud on Google, I suppose. You want botnets, we got botnets. Do they do anything? No, but we got botnets.
If it were only true! (*SIGH*)
" The site is loaded with malware and for that reason we'll refer to it by a shortened version of its name, installscash.org. "
That's not shortened at all, that's the exact full name.
http://www.google.co.uk/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&hs=Ufi&q=%22You+won%27t+lose+your+unique+visitors+with+us%21+You+can+also+have+your+own+exe%22&btnG=Search&meta=
What's also interesting is that Google has not flagged that site with stopbadware.org as it usually does...
For those without FF+ABP+NS or those not game to have a look, here's a rundown:
The site itself looks very slick... The English is well written with no spelling or grammatical errors that I could find, and some time has been spent on the graphics and layout, it has a very typical shiny-glass 2.0 look to it. Pages accessible from the front page are Home, Terms, FAQ (!), Sign Up, About Us, Rates and a Login button. You could be forgiven for thinking it was a legitimate business site at first glance!
Looking at the source, I can't find any suspect Javascript but it does try to run a Flash object - which is almost certainly where the malware comes from. I couldn't find any iframes or external script calls on the pages I looked at. The site uses PHP to display its pages, and the HTML is not W3C compliant; no DOCTYPE, some HTML tags are uppercase, and it uses deprecated elements and attributes.
Interestingly, the WHOIS turns up two names and addresses in Iowa City, USA. A little email to the FBI is in order, methinks...
Finally, that "phony trojan" is a fantastic idea, and I'll be passing that along to some friends who will be able to make good use of it...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
