Goal.com spreading malware again: "Security Shield" fake anti-virus (final)

Blog article: http://blog.armorize.com/2011/05/goal...

Goal.com is actively serving malware to its visitors. This video shows the drive-by download process, and uses Fiddler to demonstrate how we can dissect a Web malware infection, and what happens to an infected visitor.

---

Closed Caption:

hi my name is Wayne long I am cofounder
insecure on rice technologies
gonna show you how cold a commis
actively serving
wet now we're too which visitors
visitors will be infected
with a fake antivirus program called
security shield
and first going to start filler which is
wet free web debugger
and I'll shoot to see what exactly
Internet Explorer is doing behind the
scenes I did story and explore
and I am heading to go to calm and now
my
I E is loading golda com and you can see
on the status bar
what my IE is loading and here's
fiddler's show you
everything that's happening behind the
scenes and now as you can see on the
says farts
its loading some very strange-looking
URL's are looks very fishy and
the Shirelles are indeed malicious and
so let's see
what HTTP request have been made
by my internet explorer this particular
request
ass you see the content it's actually a
binary
which means in the and my internet
explorer has downloaded
a binary file from the malicious domain
and have written that too disc and it
probably also
executed and a
and these your elves are also malicious
a
my internet explorer shouldn't be loaded
them but
it just did as a result of me visiting
called a common so let's see where
exactly
until golda com esteem faction and so
here
is called a comms index page inlets
search
for it that you CLD whatever domain that
we just saw an
it is right here show this
iframe that you see here is
a injected I Fran by
and malicious attacker that cost
minor explore to eventually lowered a
binary and right the binary to Diskin
execute that binary
this is the content of the
you CLD whatever as you can see it's
containing another iframe to this zepa
a malicious domain and then
the CEPA domain is
surveen a JavaScript exploit
drive-by download which exploits my
browser in Indy and causes my browser
to download a malicious binary to disk
arm
I want it okay so let's go back to go to
calm
and lets few stores
and sure that's look for that malicious
injection
and it's right here this whole section
has been injected by a malicious
attacker into
go to calm and we can't see
the iframe right here this is a
malicious iframe
that eventually cost my IE to install
a malware into my system okay so the
installed now we're is eventually going
to bootstrap itself and those
let's wait for a while okay so
its finish boot rapid and slow did
itself itself now permanently
installed inside go to calms visitors
computer as you can see you can see it's
icon in the status bar
and it's now on permanently
installed and reboot your system will
not move
this malware its give you a lot of fake
alerts pretending that it's a
on skinny your system for viruses
and it's going to give you all these
fake warnings
and the only way to stop it is
for you to purchase a quote unquote
valid license
I and its gonna caution 99.95
when I wouldn't do that if I were you
because you'd be
giving your credit card information to
the attacker
and should now
up by vision elle.com you have ended up
with
a permanently installed malware called
security shield
inside your system