<<<
NEWS FROM THE LAB - Wednesday, November 8, 2006
>>>
 

 
Case Wikipedia Posted by Mikko @ 12:01 GMT

Two days ago, the German version of Wikipedia was targeted in an attack where the encyclopedia entry for the Blaster worm was modified to include download links for a fake patch. If you followed the links and installed the patch, you got hit with a trojan instead.

The official Wikipedia pages (and archives) were cleaned quickly. But now some clown is mailing around German language e-mails with the following content:

WikiWiki

If you follow the links in the e-mail, you'll end up on a Wikipedia lookalike page at "wikipedia-download.org" which is actually running on a server named "h4serv.webhostingoutsourcing.com".

The page has several download links for patches (although they all download the same file):

WikiWiki

Interestingly, the download (which we block as Trojan-Dropper.Win32.Small.atq) actually installs the original patch from Microsoft - and then drops a trojan. Nice.

The rogue domain "wikipedia-download.org" has nothing to do with real Wikipedia. However, it has been registered with exactly the same registration information as the real wikipedia.org domain.

Wikipedia-Download

While the real Wikipedia is registered to St. Petersburg, Florida in the USA, the IP Address of the fake site is located in St. Petersburg, Russia.

WikiWiki