Gmail Downtime Exposes Ad-Rigged Site

The Gmail downtime experienced today may have caused a nasty ruckus by frustrated users, but unknown to these users is an issue bigger than not being able to access email messages.
In the midst of the commotion brought about by the outage lasting only a few hours, cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users.
During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. Trend Micro Researcher Loucif Kharouni reports that the said page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. But what’s more dangerous is that links in the said webpage lead to malicious files.

Figure 1. Google Group website set up to distribute malware

Figure 2. Malicious links found on the Gmail down Googe Group webpage
The link Really young good looking teenager-547b4.html redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. Kharouni reported that TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user (continue reading...)