Malware developers continue to clone SourceForge Web sites that appear to offer the source code for popular gaming software but are actually peddling malicious code tied to the ZeroAccess Trojan.
Julien Sobrier, a security researcher for San Jose-based cloud security provider Zscaler, on Tuesday outlined several more malicious versions of the popular file-sharing sites, some of which appeared to offer modification code for Minecraft (http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe) and source code for Airport Firefighter Simulator (http://sourceforgeecuador.net/airport_firefighter_simulator.exe ) before they were taken offline.
Sobrier earlier this month discovered similar malware on a fake version of sourceforgechile.net. This past week, in addition to the bogus sites appearing to come from Estonia and Ecuador, fake Web sites were registered in the United States for sourceforgegrenada.net,sourceforgepalau.net, sourceforgeindiana.net, sourceforgemorocco.net, sourceforgemyanmar.net and sourceforgeyemen.net.
The tainted files register as a Windows service and drop malicious binaries in a victim’s Recycle Bin, then hide out with innocuous sounding file names like Desktop.ini. The malware as the ability to inject code into other threads and DLLs and can connect to some 20 IPs using port 16471.
“This malware is related to the ZeroAccess trojan. The malware makes money by clicking on ads (click fraud) and using the infected PC as part of a wider botnet (zombie PC),” Sobrier said in an earlier blog post.
In Tuesday’s blog post, Sobrier warned that more malicious sites may be coming online soon. Because the bogus files mimic the URLs of legitimate ones bearing the same names, users should take precautionary steps to ensure they download files from reputable sites and scan those downloads for malware before an installation.