URL shortners redirecting me to virus scam pages

Mar 15 2011

I have not yet found out who or what is the culprit, but this has now occurred once to often to be just a coincidence.

Today I clicked a link in Jesse Liberty’s tweet: http://wp-7.me/wpfs-43 and instead of sending me the to correct page, I was confronted with this page: http://jlpbyutk.co.cc/scan1/87

image

Almost convincing on Windows 7

Ofcourse these type of pages play hard to get, so any click, or keyboard action is always targeted to you downloading its evil payload: freesystemscan.exe

An executable to load your system full of fresh malware, despite it’s friendly name.

[Funny, while typing this blog post, the actual URL above is already dead in the water, and the request for the above file results in a 404 Not Found] 

image

So who is the evil guy? Unfortunately this is not easy reproducible, so I can not look at how I got to the evil page. The obvious suspects are all trustworthy enough:

Is it MetroTwit? The Twitter client offering the url? As far as I can tell (using fiddler) it just offers up the url and does nothing further. As I also have come across this on my WP7, it quickly removes the app from the suspect list.

Is it wp-7.me? The domain is registered to Jesse Liberty, I would not suspect the man to undermine his own credibility. However, the shortened url’s seem to be redirected to bit.ly? Fiddler does not offer much info here as the request to the URL returns this raw data:

HTTP/1.1 301 Moved
Server: nginx
Date: Tue, 15 Mar 2011 12:39:59 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-control: private; max-age=90
Location: http://jesseliberty.com/2011/03/14/from-android-to-windows-phone/#more-4448
MIME-Version: 1.0
Content-Length: 167

<html>
<head>
<title>bit.ly</title>
</head>
<body>
<a href="http://jesseliberty.com/2011/03/14/from-android-to-windows-phone/#more-4448">moved here</a>
</body>
</html>

Is it bit.ly? As the title in the document would make me suspect it has something to do with it? Or is this some evil that has crept into the nginx server? An unpatched server somewhere that hackers abuse?

UPDATE: I was reading the above blog post from Jesse and clicked through to another post ‘WP7 development from scratch – Index’ (from memory) and suddenly I got this on my screen

image

And my brower window is reduced to

image

Fiddler also has this screen open, I hope it continued to log the requests:

image

Posted by: Rudi Larno
Last revised: 19 Jan, 2012 08:47 PM

Comments

No comments yet. Be the first!

blog comments powered by Disqus

Powered by FunnelWeb, the blog engine of real developers.

Old MSDN blog

Is this your blog? Log in and update it.