Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week:
We were however able to obtain two malicious files found from the these websites before they went dark:
It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.
- sourceforgebulgaria.net, registered on 05/06/2013
- sourceforgesweden.net, registered on 05/06/2013
- sourceforgecyprus.net, registered on 05/02/2013
- sourceforgeniger.net, registered on 05/01/2013
- sourceforgeestonia.net, registered on 04/26/2013
- sourceforgegrenada.net, registered on 04/26/2013
- sourceforgepalau.net, registered on 04/22/2013
- sourceforgeecuador.net, registered on 04/21/2013
- sourceforgeindiana.net, registered on 04/20/2013
- sourceforgemorocco.net, registered on 04/19/2013
- sourceforgemyanmar.net , registered on 04/19/2013
- sourceforgeyemen.net, registered on 04/06/2013
We were however able to obtain two malicious files found from the these websites before they went dark:
- http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe
- http://sourceforgeecuador.net/airport_firefighter_simulator.exe
It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.