Many great things have been touted about Web 2.0, such as that it will bring about a richer, freer, and more community-driven experience for all users. Technologies like wikis and blogs, along with services like Flickr and YouTube are prime examples of how the Web has evolved to bring about increased community participation. What these services really do is bring about freedom of speech to the masses. Unfortunately, the masses also include the “bad”.
Wikipedia has long been a target for mischief makers who abuse the ability for anyone to freely create and edit entries in the encyclopedia. Usually the abuses only involve providing false information in articles on the site. Recently, we received reports that the German version of Wikipedia has been used by malware creators to distribute their creations by modifying a page to point to their malicious programs. According to the reports, a Wikipedia entry regarding W32.Blaster was modified to point at fake Microsoft Windows patches. When executed, these fake patches installed a Trojan horse program. We are detecting the fake patch program (WindowsXP-KB823980-x86-DEU.exe, WindowsServer2003-KB823980-i64-DEU.exe, WindowsServer2003-KB823980-x86-DEU.exe, WindowsXP-KB823980-i64-DEU.exe, WindowsXP-KB823980-x86-DEU.exe – all the same file with different name.) as Trojan.Dropper and the dropped file (miglibnt32.dll) as a Trojan horse program. An interesting point about the fake patches is that they actually do contain the real files from the official patches. When the fake patch program is run, it extracts and installs the official patch and the Trojan as well.
While the Wikipedia entry for W32.Blaster have now been restored, there is still another fake Wikipedia “phishing” page live at this time that is hosting a fake article about W32.Blaster (containing links to the said fake patches). The fake Wikipedia page even goes so far as to claim that it (Wikipedia) has agreed to host the patches for Microsoft in order to help stop the worm. Unfortunately for Wikipedia, its own success and inherent weaknesses in its usage model has brought it onto the radar of the malcode creators.