Sunday, October 18, 2009

Hacked Newspaper loads Google News with malware sites

Certain news searches on the Google News site today were pointing users to some troubling websites which seemed to be hosted by the "Chipley Bugle". Having never heard of the Chipley Bugle, I first confirmed that it was a real newspaper from a few sources, including a visit to's Wayboack Machine, which confirms that the paper has been online since at least 2000.

This is the first time that I've seen a real newspaper used to feed malware-oriented news stories to Google News.

A search for News stories where the source was "chipley_bugle" starts out with normal stories for a small town paper, such as:

BBB reports great turnout
Chipola Little Indians program for grades 1-8

It falls apart pretty quickly after that. The next several hundred entries, all posted about 18 hours ago, are for "news stories" with pornographic names of all varieties, and incoherent news stories, such as:
Chipley Bugle - 18 hours ago
At this top benzi knows how to progress hr the ravaged significat and female-to-female time she exists in age to have an boyfriend.

Chipley Bugle - 18 hours ago
Naked inmates must be reflected websites, critized producers , and began Janice makes him a late law, flossing him ...

You can verify this behavior by going to Google News and searching for "source:chipley_bugle", although I would recommend not following any of the links!

Many of the "news stories", such as the one above, use the names of real porn websites. If the website is followed, it displays a webpage such as this one, which appears from the URL to actually be on the Chipley Bugle website!

The graphics are actually being called by the Chipley Bugle's website from "", but the webpage is being loaded by what looks to be some content injected into the newspapers content-management system.

A "real" news story for the Chipley Bugle uses a URL like this one:

All of the fake news stories that lead to porn sites use URLs like this one:

Regardless of whether you say "Enter" or "Exit", the web page forwards thevisitor away from the newspaper site to very hard core porn site calling itself "PornTube". All of the images there lead to the following malware, by claiming a new Adobe Player is needed to view the movie:

The malware has these characteristics:

File name: adobeflashplayerv10.0.32.18.exe
File size: 17920 bytes
MD5 : 5f49907a0e20b4ddebc6c31bde9eb6f1

Its currently only detected by 8 of 41 anti-virus products at VirusTotal, however several anti-virus products will still protect from this type of attack by blocking the malicious website on which the malware is hosted:

which is hosted in the Ukraine on the IP address

This IP address is well-known as a malware infection site, hosting such domains as:

again, avoid these webpages as they all lead to malware!

The newest web domain was created toay by a user using the email:

The registrar was one frequented by Ukrainian criminals regularly, the Chinese registrar: 广东时代互联科技有限公司 (also known as "").

Other in the group used other emails and registrars, such as: who used OnlineNIC
or who used Directi Internet Solutions
or who also used 广东时代互联科技有限公司

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.