Today I looked a bit closer at the response sent from chromeupdatecenter.com to the request of the malware. The malware connects to Port 8080, most likely because the “malware webservice” runs on another HTTP server instance (the headers state nginx, while the main page is supposedly running Apache on a Ubuntu server). I figured out that the first 22152 bytes contains a bitmap. This bitmap is later on saved to the users temporary path (on Windows 7 to C:\Users\$USERNAME\AppData\Local\Temp\32239.bmp).
Desktop wallpaper after infection
The image length also matches the header “ACC”, which states 22152. Although, the length of a bitmap is also available from its header, which would make the server code a bit easier, maybe something for their next version 😉
However, after the bitmap, there are still 493 bytes left. This should be either the encryption key or the message in the AlertEncryptor.txt files…. Read more »
Recently I changed to Googles Chrome browser (to be exact, it’s the open source variant Chromium). Chrom/(e/ium) simply uses less resources, you will notice this when you have a lot of tabs open as I usually do 🙂
Right away I missed my configured keywords for Firefox keyword search. Chrome has that feature too. Here’s how you can add your custom search keywords in Chrome:
- Browse to the website you want to search with a keyword (for example http://en.wikipedia.org/)
- By clicking with the right mouse button in the URL bar you get a context menu
- Click on Edit Search Engines
- You get a three column table. Chrome detects the search parameter itself (alternatively you can add the usual “%s”)
- In the second column you can set your keyword (e.g. “we” for [w]ikipedia [e]nglish)
Now you can type “we Test” and you will land on the Wikipedia page about “Test”.