Archive for the ‘Fake codecs’ Category

« Previous Entries

More Mini Me Malware

September 16th, 2009

Mini me, AKA Verne Troyer is generating a lot of interest which the bad guys are capitalizing on.

Screenshot

Screenshot-1

By the way, the binary is VM sensitive… If you want a real analysis, you may need to use a real PC.

Screenshot-2

Jerome Segura

Malware ID: e7968e49b1ff6be0e314b625ecb0b5bd.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

A few nasties off porn sites

September 9th, 2009

Our honeypots have identified a few poorly identified Trojans installing rogues, coming from these domains:

vaszxry5.ru
jhyuj76.ru

Their IP is 61.235.117.88

The Bait:

nude

The hit on the back of the neck:

warning

1 lonely detection on VirusTotal:

vt

Jerome Segura

Malware ID: b157106188c2debab5d2f1337c708e35.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Office of National Drug Control Policy’s website redirects to malware

September 4th, 2009

The following page http://adgallery.whitehousedrugpolicy.gov/members/Miley-Cyrus-Nude/default.aspx

tricks you into watching a Miley Cyrus nude video.

miley

For one thing, the page is hosted on (whitehousedrugpolicy.gov)  the Office of National Drug Control Policy (ONDCP)

drugs

and there is no such video but a classic fake codec page:

miley2

VirusTotal detects the file as:

vt

If you’re trying to quit drugs, porn may not be the best alternative.

Jerome Segura

Malware ID: c92ca378fa83980a41156698a7f19a6b.zip

  • Posted in Fake codecs
  • |
  • (1) comments
  • |
  • Add your comments

Angelina and Zango cash

September 4th, 2009

I came across the following site today: angelinajmovies.cn

If you browse the site you immediately get a file:

anjel1

which VirusTotal detects as:

vt1

If you refresh the page you now get this second file (sorry I used Firefox here, but you get the same result in IE):

anjel2

which VirusTotal detects as:

vt2

And if you refresh the page angelinajmovies.cn for a third time you get:

anjel3

Wait, let’s zoom in a little bit:

anjel4

Yes, you see it right, Zango it is.

Dreamcatcher player, sorry DreamMediaPlayer or whatever.

The landing page reminds me so much of the fake codec pages. I bet they might even have used the same template.

Bad on all fronts!

Jerome Segura

Malware ID: 67e252ee84a6b5d0e2706ccc3e36a106.zip

Malware ID: bea4676cddd48770b56c54db8b07f370.zip

Malware ID: c115d8251fe12d92567e55cad1d379e9.zip

  • Posted in Exploits, Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Boom boom malware

September 1st, 2009

Just stumbled upon boomexesite.com which hosts a poorly detected Trojan (3/41)

Other sites on that IP 64.20.55.163, courtesy of Steven (Ur IT Mate):

Full link here.

steven

Virus Total scan:

vt

Jerome Segura

Malware ID: e561f6830925f4783b1989f54b5382df.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

More Koob to the face

August 5th, 2009

This is an example of a webpage hosted on an infected PC:

It looks like the real deal, but it’s not.

face

In fact, the malware authors behind this have not spent too much time crafting the page: They took snapshots of existing ads and templates and just pasted them as individual GIF or JPEG.

fa

face2

But hey, it works, doesn’t it?

Jerome Segura

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Rogueware buys you BMWs

July 31st, 2009

As I was investigating some fake codec sites, late on a Friday night, I stumbled upon this one:

money

The malware is hosted on downloadxxtube.com. Interestingly enough, the page is totally open for the curious like me. You can see an “exe” folder where that file is hosted, but the thing that first caught my attention was those BMW pics…

money2

Is that what online criminals dream of?

money3

Don’t get me wrong, I think BMWs are splendid cars and if I had the budget I would be more than tempted!

The domain registratio info below. Created mid-July.

money4

File detection on VirusTotal:

money5

There is another domain hosting the same payload on that IP (78.159.98.70): showmeall-tube-xx.com

Ah… a sports car. Maybe some day…

Jerome Segura

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Searches for Erin Andrews’s nude video link to malware

July 21st, 2009

As the sports journalist and her lawyer are trying to catch the authors of this disgraceful act, malware authors are capitalizing on the key words for their SEO campaigns.

You will see several blogs or other links to the supposed video. However, many of them will direct you to malware in the form of fake codecs.

star

A CNN look alike site:

star2

Another example here:

star3

And again here:

star4

Some more:

star5

The few domains that are illustrated above:

all-video.cn

videoreport-cnn.com

onlyhotvideos.com

midnight-online.tv

vsj-news.com


Watch out, those sites can infect your PC!

Jerome Segura

Malware ID: c32a513a20aa056657cb32870c22ed14.zip

Malware ID: fd27ddf819de4a0909c1790c5f39c62f.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Fake codec targets Russian users

July 21st, 2009

The following domain,  sexvideorussia.com pushes a fake codec in the form of…. a WSF file (Windows Script File).

sex

The file datafeeder.swf contains obfuscated JavaScript:

sex2

If you run it, it will install a BHO tied to bpfeed.dll

sex3

That BHO is going to inject ads into your webpages, as this VirusTotal screen cap shows:

sex4

Since everything appears to be written in Russian, I assume it is targeting the same population.

On that same IP (88.208.19.153) there are similar sites pushing the same malware:

redxporno.com

sex5

besplatnoexxx.com

sex61

The domains appear to be registered to:

andrey smiyan
Lepkalno
19
Vilnus, 232000
Latvia

But the IP is located in the Netherlands.

Jerome Segura

Malware ID: cea469492f8430cc060a33e0324a0869.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Trojan Downloader 3/41 on VT

July 16th, 2009

thetubeamps.com pushes a fake codec:

o1

Other domains on this IP 64.20.38.172:

dipexe.com

exe-direct.com

exe-get.com

exe-online-world.com

exe-paste.com

exe-porto.com

exe-site.com

exefileformat.com

exenetsfiles.com

eyeexe.com

freeexefiles.com

hotexefiles.com

my-exe-load.com

newexefile.com

red-exe.com

robo-exe.com

soft-exe.net

the-exefiles.com

tiaexe.com

VirusTotal detection is poor 3/41

vt6

Jerome Segura

Malware ID: a36a4e12a3e3e3a3bf32a52d33a1ccb3.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

« Previous Entries



Location

You are currently browsing the archives for the Fake codecs category.




RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages

  • Live Malware Map
  • VB2009 pictures
  • Zheng™ Technology
  • About
  • Contact Us



Security Software

  • XoftSpySE Anti-Spyware
  • Anti-Virus PLUS
  • Privacy Controls



Malware Top 10

  • Koobface Worm
  • DNS Changer Trojan
  • Fake Alert Trojan
  • Windows System Suite
  • Smart Protector
  • Home Antivirus 2010
  • PC Antispyware 2010
  • System Security
  • AVCare
  • Perfect Defender 2009



Archives

  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008



Categories

  • Adware (1)
  • Banker Trojans (3)
  • Botnets (2)
  • Conferences (4)
  • DDos (1)
  • Exploits (32)
  • Fake codecs (30)
  • IM threats (1)
  • Interviews (5)
  • Keyloggers (1)
  • Mac security (14)
  • Malware Trends (67)
  • Phishing (7)
  • Podcast (1)
  • ransomware (1)
  • Research (33)
  • Rogue software (47)
  • Rootkits (2)
  • scams (3)
  • Social Networking (4)
  • Uncategorized (104)
  • Wireless Security (1)
  • world map (1)



 
 
 

© 2009 ParetoLogic Inc.