I’ve noticed some recently increasing activity on the unsolicited comments front to my Crawling Chaos blog as well as trackbacks and pingbacks. This has culminated with something I picked up using my “digital fingerprint”. It’s a link that goes to a webpage like this:
It’s supposedly a simple search string but it fires up my NOD32 with a nice reply shown at right as soon as the page is moved or refreshed. This is especially activated on a page refresh. After activation, it keeps coming back even after doing the correct NOD32 stuff. Finally, the browser crashes out. It takes about 6 goes on NOD32 to terminate and close the virus with the tow-step “Terinate” and “Close AV Warning” steps… And it crashes Firefox as well. This means it’s pretty young as it’s a heuristic detection and the proper terminations are upsetting the system.
As you see, it’s blocking an executable being served from Retaguilas.com The whois return on this name is. Which is not a lot to go on. They seem to want to be alone or at least, private; which goes at odds with their actions of spamming loads of sites. When I checked, all there was was the simple Apache server first page including the CentOS mention.