Hello and welcome to the Monday, May 4th,

2006 edition of the Sands Internet Storm centers.

Stormcast, my name is Johannes Ulrich,

recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in industrial control systems security.

And in diaries today, we got one of the excellent malvernalysis diaries from Brad.

Brad walks us here through an infection with Mack Sink Steeler.

Now, what makes this particular attack so successful likely is that, well, it takes

full advantage of the entire Google ecosystem. It starts out with a paid ad on Google. If you're

searching for HomeProve, you may be seeing links for this particular malicious version of HomePro, which is then also hosted within Google's pages infrastructure.

So the only URL you're seeing here is business.gov.com, which of course is often not considered malicious.

Now, if the user then clicks on this link,

they're then being sent to a fake HomeProop page.

Now, if you're not familiar with HomePro,

HomePro is essentially a system

that allows you to easily install various open source tools,

so it's very commonly used by Mac users.

And the page here looks very much like the real thing, only that this one, of course, is hosted within sites.com.

Now, just like in the real home proof, you're then being asked to sort of copy-paste shell script in order to execute the installer.

Now, the real version is not obfuscated like the one here.

Here, you're then basically pasting a base 64 encoded string that then leads to execution

and will then download additional tools, including

...