More Fake SourceForge Websites Show Up

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week:

• sourceforgebulgaria.net, registered on 05/06/2013
• sourceforgesweden.net, registered on 05/06/2013
• sourceforgecyprus.net, registered on 05/02/2013
• sourceforgeniger.net, registered on 05/01/2013
• sourceforgeestonia.net, registered on 04/26/2013
• sourceforgegrenada.net, registered on 04/26/2013
• sourceforgepalau.net, registered on 04/22/2013
• sourceforgeecuador.net, registered on 04/21/2013
• sourceforgeindiana.net, registered on 04/20/2013
• sourceforgemorocco.net,  registered on 04/19/2013
• sourceforgemyanmar.net ,  registered on 04/19/2013
• sourceforgeyemen.net, registered on 04/06/2013

Each domain has been registered with different WHOIS information, but with the same registrar. All of them are unreachable today (DNS does not resolve).

We were however able to obtain two malicious files found from the these websites before they went dark:

• http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe
• http://sourceforgeecuador.net/airport_firefighter_simulator.exe

The files are very similar to the malicious files from sourceforgechile.net which we analyzed earlier. They drop and hide malicious binaries into the Recycle Bin and are detected as the ZeroAccess Trojan.

It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.