Art Alexion on 18 Jan 2009 10:22:47 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fun with Viruses, really


I googled dmg extractors because I wanted to configure a large Canon
ImageRunner printer in Linux.  The only place I could find a PPD is in a
MacOSX dmg file, so I downloaded it with plans to extract the PPD and
install it in Linux.

After downloading it, I googled 'unpack dmg linux'.  The first link
tells you how to mount it like an ISO with 'mount -t hfs -o
loop /source.dmg /mountpoint'  The thread suggested it might not work.
I tried it and it didn't.  (no support for hfs).

So, I tried the second link.  This is a link to
http://elements-webdesign.com/ogang/pxchj/files/files.htm&ei=cZlwSc34IJ3etgfVn9TqCA&usg=AFQjCNEP-NlrSzIeu7YZ7OmXaINDumec-A&sig2=HOVomUvnLG0iIedEYY4Q1w

That link redirects to radiantspywarescanner.com.  That site tries to
install Antivirus 2009 on your system.  The first indication was a
javascript message box telling me I may be infected and asking me to do
a scan.  Being I was using Linux, I figured I'd have some fun and let it
try try.  I was presented with a web page that had an embedded animated
GIF that was purporting to do a scan of my EXEs and DLLs (ha ha).  

Next it used a layer to present a very convincing looking WinXP dialog
with 'Microsoft Windows' in the title bar showing me the viruses it
found and asking me to install.  Of course, no matter where I clicked on
it, it tried to install its nefarious payload.

I expected it to just fail, but our Sonic Wall blocked it before
incompatibility with Linux did.

If you have ever been called on to help friends or users infected with
this thing, it is fun to see how they got it, from a safe distance.

Whois info:
Registrant: 
Name: Aennova M Decisionware
Address: Rua Maestro Cardim 1101   cj. 112
City: Sgo Paulo
Province/state: NA
Country: BR
Postal Code: 01323

Current Registrar: TODAYNIC.COM, INC. 
IP Address: 94.247.3.43 (ARIN & RIPE IP search) 
IP Location: UK(UNITED KINGDOM) 
Lock Status: clientTransferProhibited 
DMOZ no listings 
Y! Directory: see listings 
Data as of: 14-Jun-2005 

First question: Any point in pursuing this further?  If so, what is the
practical next step?

Second question: How do I get this PPD from the DMG archive?

Attachment: signature.asc
Description: This is a digitally signed message part.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug