Geolocatiedienst Utility of Porn Sites Utilized to Identify Infected PCs’ Location

According to researchers from security firm, Websense, a malware strain has been revealed from infected computers offering adult dating websites. As the service utilizes geo-location service, the location of an infected system can be determined easily without difficulty.

Innumerable malicious programs examined within the firm's laboratory reached out to the URL promos.fling.com/geo/txt.city.php. Initially, the researchers wondered if it was any central command-and-control (C&C) system of a malicious network-of-bots.

The URL marked as "Hottest Place to Hook Up", enticed netizens towards meeting the hottest members in San Diego", the city where the Websense Security Labs is located. And it is at this juncture that the crafty site promos.fling.com/geo/txt.city.php starts its malicious activity.

The investigation displayed that the promos.fling.com was a pornographic site and investigators also found that its geolocatiedienst was utilized for finding out where the visitors were based.

Utilizing Wireshark, one network apparatus for performance during a sale-and-purchase racket of malicious programs taking help of the geo-location service, enables end-users for viewing additional information that is already exposed.
The research also revealed the URL fling.com is an adult site and its unsecured geo-location services are utilized by geolocatiedienst for identifying the location of visitors. Also, the JavaScript incorporated inside the malicious software precisely determines the physical situation such as state, city, longitude and latitude of the contaminated PC at the other end.

Websense states that over 4,775 items of this still un-named malicious software pushing the assault are with its laboratory. These are perhaps utilized for computing statistical data alternatively infecting PCs within a specified geographical location.
Perceiving the geolocation of the abused service, security researchers can establish the link wherein, for instance, Canada's country code CA within a given user-agent can be utilized for revealing the C&C system contaminated.

The security company also detected other possible C&C links within the external links pertaining to the said malware items. It found that the links attempted at concealing the malevolent HTTP with the help of a counterfeit string of the user-agent namely "user-Agent: opera/6 (windows NT 5.1; CA; LangID= x86)".

Specialists advise end-users for remaining wary about such uninvited websites that cyber-criminals chiefly use.

» SPAMfighter News - 5/16/2012