URL shortners redirecting me to virus scam pages

I have not yet found out who or what is the culprit, but this has now occurred once to often to be just a coincidence.

Today I clicked a link in Jesse Liberty’s tweet: http://wp-7.me/wpfs-43 and instead of sending me the to correct page, I was confronted with this page: http://jlpbyutk.co.cc/scan1/87


Almost convincing on Windows 7

Ofcourse these type of pages play hard to get, so any click, or keyboard action is always targeted to you downloading its evil payload: freesystemscan.exe

An executable to load your system full of fresh malware, despite it’s friendly name.

[Funny, while typing this blog post, the actual URL above is already dead in the water, and the request for the above file results in a 404 Not Found] 


So who is the evil guy? Unfortunately this is not easy reproducible, so I can not look at how I got to the evil page. The obvious suspects are all trustworthy enough:

Is it MetroTwit? The Twitter client offering the url? As far as I can tell (using fiddler) it just offers up the url and does nothing further. As I also have come across this on my WP7, it quickly removes the app from the suspect list.

Is it wp-7.me? The domain is registered to Jesse Liberty, I would not suspect the man to undermine his own credibility. However, the shortened url’s seem to be redirected to bit.ly? Fiddler does not offer much info here as the request to the URL returns this raw data:

HTTP/1.1 301 Moved
Server: nginx
Date: Tue, 15 Mar 2011 12:39:59 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-control: private; max-age=90
MIME-Version: 1.0
Content-Length: 167

<a href="
http://jesseliberty.com/2011/03/14/from-android-to-windows-phone/#more-4448">moved here</a>

Is it bit.ly? As the title in the document would make me suspect it has something to do with it? Or is this some evil that has crept into the nginx server? An unpatched server somewhere that hackers abuse?

UPDATE: I was reading the above blog post from Jesse and clicked through to another post ‘WP7 development from scratch – Index’ (from memory) and suddenly I got this on my screen


And my brower window is reduced to


Fiddler also has this screen open, I hope it continued to log the requests:


Posted by: Rudi Larno
Last revised: 19 Jan, 2012 08:47 PM


No comments yet. Be the first!

blog comments powered by Disqus