.gov Domain Divert Users to Adult Websites Pushing Adware
According to a warning from security researchers, the DNS (Domain Name Server) of different .gov space have been compromised and made to host web-pages which divert visitors to adult websites. It appears the compromise has been done for distributing an adware named FLVDirect.
An antivirus software firm 'VIPRE' detected this adware as Win32.FLVDirectPlayer.
It has also been found that the adware produces a file which loads the FlvDirect Media Player program. Normally, this program comes packed with one more adware identified as Adware:Win32/LoudMo. There is an ID in these installers that can be checked. If an associate firm deploys a large number of installers, it is paid more money for doing the job.
The sub-domains seem to be hosted on a server that accepts the Internet Protocol address 184.108.40.206. This Internet Protocol own by Canaca-com Inc, a company that sells VPS and Web-hosting utilities.
The Win32/FlvDirect adware is obtainable from the FlvDirect Media Player Internet site and it's also possible to camouflage it as other applications.
Moreover, once the program is executed, it may exhibit a splash computer screen. There may also be an icon and a message appears on the installation software that the user alongside FLV Direct agrees to load 'LoudMo Contextual Ad Assistant.' This second software reportedly takes the guise of a code producer.
The researchers state that a partner of FLV Direct seems to have compromised a DNS as well as appropriated the Kansas state government website's name for diverting users to the FLVDirect site, as reported by Sunbelt BLOG on July 14, 2010.
Apart from the Kansas state government website, several others have been appropriated as well. These are: tubes-0611.uppersiouxcommunity-nsn.gov/1244.html, tubes-1111.yanceycountync.gov/1136.html, tubes-1011.dumontnj.gov/898.html and tubes-0511.woodfin-nc.gov/163.html.
Besides, the cyber criminals have set up sub-domains pertaining to tubes ####, where # represents a numerical digit, on each and every hacked domain.
It further seems that the .gov site names have been appropriated to divert users to the XXXBlackBook.com adult dating website, state the researchers.
Hence, it is advisable that users always keep their security software up-to-date to ensure self-protection from PC worms, viruses and other malicious programs.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 29-07-2010