Quote:
Originally Posted by Killebrew
Sorry if I missed in on all the forum pages dedicated to this issue but can anyone here mention what happens when users click on the hacked OOTP web site pages with the embedded ****** link? I know it's been described as "a malware site" and it "usually" results in a local box scan and a possible key logger, but do we know exactly what this one does?
Also, I guess there is no action we can take using our ftp logs:/.
|
It's a bit complex to explain the process in detail, but I'll try to simplify it somehow. The moment you get redirected to the malware site a rogue is installed automatically in a hidden mode. Your firewall, anti-virus or anti-malware shields may not be able to block the download and installation, but some of them are capable to detect and remove the rogue afterwards. This rogue is the one you described: the one that goes scanning your PC, claiming it to be highly compromised and telling you about this great piece of software that can put you out of your misery for a few bucks. Those who bite and buy it are awarded with a free highway for trojans.
If you have good and updated security, the redirection to the malware site would be simply blocked (unless, of course, you authorize it), so that's about it. Now, if the redirection is successful you enter the universe of the server that hosts MPack (or similar), which performs in cascade. To do so first it would try to install a downloader trojan to check the system, web brownser and firewall for vulnerabilities. Then, depending on the outcome, goes another trojan, and then another, and another. Pretty much all the family, from keyloggers to spammers to backdoors to downloaders. The more outdated the security and unpatched the operational system and brownser, the more chances has MPack to be successful.
That's all in short.