Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

More Fake SourceForge Websites Show Up

image
JULIEN SOBRIER
April 30, 2013 - 1 min read
Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week:
  • sourceforgebulgaria.net, registered on 05/06/2013
  • sourceforgesweden.net, registered on 05/06/2013
  • sourceforgecyprus.net, registered on 05/02/2013
  • sourceforgeniger.net, registered on 05/01/2013
  • sourceforgeestonia.net, registered on 04/26/2013
  • sourceforgegrenada.net, registered on 04/26/2013
  • sourceforgepalau.net, registered on 04/22/2013
  • sourceforgeecuador.net, registered on 04/21/2013
  • sourceforgeindiana.net, registered on 04/20/2013
  • sourceforgemorocco.net,  registered on 04/19/2013
  • sourceforgemyanmar.net ,  registered on 04/19/2013
  • sourceforgeyemen.net, registered on 04/06/2013
Each domain has been registered with different WHOIS information, but with the same registrar. All of them are unreachable today (DNS does not resolve).

We were however able to obtain two malicious files found from the these websites before they went dark:
  • http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe
  • http://sourceforgeecuador.net/airport_firefighter_simulator.exe
The files are very similar to the malicious files from sourceforgechile.net which we analyzed earlier. They drop and hide malicious binaries into the Recycle Bin and are detected as the ZeroAccess Trojan.

It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.