I just ran across one of the most virulent pieces of weblog spam I’ve ever seen. It was an innocuous comment: ‘please help with my website…’ and the URL wasn’t ostentatiously bad:
pseudobreccia60 DOT tripod DOT com DOT ve (please don’t visit this site!)
pseudobreccia, in case you’re wondering, is a kind of rock. ve is the Venezuelan country code. tripod DOT com DOT ve points to ns4.hotwired.com as its authoritative name server. The comment wasn’t blatantly off topic. So, I wasn’t super suspicious of the site.
Being a bit curious, I visited it. What you get is some kind of flash application. It seems innocent enough, just an ad and an under construction sign. Viewing source shows you nothing, but every time you close the window, or change the location in the address bar, it pops up a new window with the same URL in it (I ended up having to shut the browser down entirely via the Process Manager before it would go away). But, the payload is a periodical full size window pop up with advertisements for, what else, p0rn. Shocking, I know. But the persistance of the app was amazing. I almost wish I had a flash decompiler just to take a look at what it was doing.
I was doing all this in Mozilla–I can’t imagine what it tries to do to Internet Explorer (sets up itself as your homepage, adds itself to your favorites) and I don’t want to find out.