The Mac Trail to 213.182.197

June 18th, 2009

Since following this Mac Trojan I have come across several valuable links.

In particular I am investigating 213.182.197

Check out what’s on there:

base record name ip reverse route as

bests.at a 213.182.197.2 (none) ?

fcoder.at a 213.182.197.2 (none)

kirgo.at a 213.182.197.2 (none)

8070372.com a 213.182.197.4 (none)

zeus-logs.biz a 213.182.197.4 (none)

- 213.182.197.7 (none)

bestxvids.info a 213.182.197.8 mxs.newhostgroup.ru

freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.2todays.com a 213.182.197.8 mxs.newhostgroup.ru

mail.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.newhostgroup.ru a 213.182.197.8 mxs.newhostgroup.ru

mail.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru

mail.worldtube.su a 213.182.197.8 mxs.newhostgroup.ru

ns1.2todays.com a 213.182.197.8 mxs.newhostgroup.ru

ns1.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

ns1.good777.ru a 213.182.197.8 mxs.newhostgroup.ru

ns1.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

ns1.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

ns1.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru

ns1.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru

ns2.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

ns2.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

ns2.siteload.cn a 213.182.197.8 mxs.newhostgroup.ru

ns2.yesey.net a 213.182.197.8 mxs.newhostgroup.ru

ns2.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru

sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru

uniquexsoftware.com a 213.182.197.8 mxs.newhostgroup.ru

vipwarezz.com a 213.182.197.8 mxs.newhostgroup.ru

worldtube.su a 213.182.197.8 mxs.newhostgroup.ru

www.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

www.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

www.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

www.seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru

mxs.newhostgroup.ru ptr 213.182.197.8

ns2.bestxvids.info a 213.182.197.10 (none)

ns2.freewebxxx.info a 213.182.197.10 (none)

ns2.good777.ru a 213.182.197.10 (none)

ns2.mac-videos.com a 213.182.197.10 (none)

ns2.newhostgroup.ru a 213.182.197.10 (none)

ns2.viagrabe.com a 213.182.197.10 (none)

ns2.worldtube.su a 213.182.197.10 (none)

barmatuxa.info a 213.182.197.12 (none)

zapalinfo.info a 213.182.197.12 (none)

ns1.bestxvids.info a 213.182.197.13 (none)

ns1.hotfreexxx.info a 213.182.197.13 (none)

ns1.siteload.cn a 213.182.197.13 (none)

ns1.tube84.com a 213.182.197.13 (none)

wkontkte.ru a 213.182.197.13 (none)

hostnsload.cn a 213.182.197.14 (none)

mail.hostnsload.cn a 213.182.197.14 (none)

mail.megavipsite.cn a 213.182.197.14 (none)

mail.siteload.cn a 213.182.197.14 (none)

megavipsite.cn a 213.182.197.14 (none)

siteload.cn a 213.182.197.14 (none)

adultelitiest.ru a 213.182.197.20 (none)

dns-lv9720.com a 213.182.197.20 (none)

mail.dangerousteens.com a 213.182.197.20 (none)

mail.dns-lv9720.com a 213.182.197.20 (none)

mail.openstat.ws a 213.182.197.20 (none)

mail.toponline-video.net a 213.182.197.20 (none)

ns1.dns-lv9720.com a 213.182.197.20 (none)

ns2.dns-lv9720.com a 213.182.197.20 (none)

openstat.ws a 213.182.197.20 (none)

toponline-video.net a 213.182.197.20 (none)

- 213.182.197.21 (none)

ns1.freednshostserver.com a 213.182.197.23 (none)

ns2.bio-a.ru a 213.182.197.23 (none)

ns2.dub-dubom.ru a 213.182.197.23 (none)

ns2.icq-stanet-platnoy.ru a 213.182.197.23 (none)

ns2.iqdoza.ru a 213.182.197.23 (none)

ns2.lifezilla.ru a 213.182.197.23 (none)

ns2.litegreatestdirect.cn a 213.182.197.23 (none)

ns2.mixmediadirect.cn a 213.182.197.23 (none)

ns3.freednshostway.com a 213.182.197.23 (none)

- 213.182.197.28 (none)

traffanalizer.cn a 213.182.197.40 (none)

- 213.182.197.227 (none)

*.1st.abdulabah.cn a 213.182.197.229 (none)

1st.abdulabah.cn a 213.182.197.229 (none)

807037.com a 213.182.197.229 (none)

bjbotnet.cn a 213.182.197.229 (none)

domenzmonz.cn a 213.182.197.229 (none)

firex-labz.com a 213.182.197.229 (none)

groos.ru a 213.182.197.229 (none)

kazantipwords.ru a 213.182.197.229 (none)

lafi.babjr.cn a 213.182.197.229 (none)

mssys.net a 213.182.197.229 (none)

muhamed.cn a 213.182.197.229 (none)

odnoklassniki.groos.ru a 213.182.197.229 (none)

www.1st.abdulabah.cn a 213.182.197.229 (none)

www.abdulabah.cn a 213.182.197.229 (none)

www.acidbot.cn a 213.182.197.229 (none)

www.lafi.babjr.cn a 213.182.197.229 (none)

yes04ka.cn a 213.182.197.229 (none)

- 213.182.197.230 (none)

Checking out a very obvious one, mac-videos.com. Mac OS X users visiting this site can get infected with Jahlav Trojan.

The sample flies totally under the radar, as shows this VirusTotal screenshot:

When you think it’s over, here is more from 213.182.197.13:

You can see the fake PornTube sites riddled with malware and, worth pointing out, a social networking site called Vkontakte. It is the equivalent of Facebook in Russia, Ukraine and Belarus.

It is not the real site though, a little typo, similar designs….

This, is the legitimate site:

The trail never seems to end! Fake codecs, illegal adult content, phishing sites… Stay clear off those sites!

Jerome Segura

This entry was posted on Thursday, June 18th, 2009 at 11:43 am and is filed under Malware Trends, Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

The Mac Trail to 213.182.197

Comments: