Archive for the ‘Fake codecs’ Category

« Previous Entries

Malware repo gets updated

July 3rd, 2009

This is an update from my previous post. I noticed an update to one of the pages on the malicious site

oymoma-tube.freehostia.com

Check the screen below and see the July 3rd time stamp:

hottube

The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec:

hottube2

Upon execution, fake alert messages such as this one:

hottube3

Eventually the scareware will run:

hottube4

This sample is poorly detected, especially for being a variant of an already known rogue:

hottube5

Paretologic detects this file as:

clipboard01

Jerome Segura

Malware ID: dcfe992aa25bb1849c1e9f8c2c5d3c5b.zip

  • Posted in Fake codecs, Rogue software
  • |
  • (0) comments
  • |
  • Add your comments

Unsanitized repo of fake codecs

July 2nd, 2009

Sometimes spending the extra work hours pays off. Actually I kind of get into a groove after searching and things come easily… that is until my wife phones me up!

Anyway, I was investigating a site and checked its source code for anything of interest.

There was a strange link pointing to a gif file that I decided to follow.

link1

It took me to this page, a nice little repository of malicious pages pushing fake video codecs:

oymoma-tube.freehostia.com

link21

As you can see, some of the pages have just been updated today, while others are a little older.

Here are some examples of the pages hosted there. They also have redirect links to other malware sites.

link3

link4

Jerome Segura

And for our partners, I’ve uploaded to our FTP share some of the samples I could grab.

Malware ID: 0d23a0aa75658d81698c727261503628.zip

Malware ID: 6d3b3cd07df5db7f4512a503ace750ac.zip

Malware ID: da3f8fc504e1a640fbc0ae8da568dec7.zip

Malware ID: ee222a68e35225115a1dceac34026ab6.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

New ad-clicker Trojan

June 30th, 2009

Our Honeypots caught this drive-by download from the following site:

sid

Looks like another blog… the word ‘porn’ is used, well, abundantly.

The site is registered to some guy in Panama.

tube

Other domains sharing nameserver:

tube2

They all point to this fake codec site:

01

The malware file, as with many fake codecs is from exe-xxx-file.com.

A quick Virus Total analysis reveals that this file is pretty much unknown to most AV vendors:

o2

If you happen to be infected with that Trojan, it will not go un-noticed:

lv

cof

cong

Those links are dangerous, stay away unless you know what you’re doing.

Jerome Segura

Malware ID: 749ebc5c812c3d26022a4df847b11d09.zip

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Fake Celebrities site drops malware

June 29th, 2009

Thise site popped up on my radar… The fake Flash Player is malware, of course.

hot

hot3

I was very surprised to see that only 3 AV vendors detect this threat!

hot2

Jerome Segura

Malware ID: 260f8513934016b9eafb6e9edf650c01.zip

  • Posted in Fake codecs, Rogue software
  • |
  • (0) comments
  • |
  • Add your comments

Fake Porntube Malware

June 25th, 2009

I came across yet another fake PornTube site.

portube1

The Whois for that domain is somewhat obscure!

whois

The malicious file comes from another domain (eshymkent.cn), yet on the same IP

graph

The malware file turns out to be a rogue app called Fast Antivirus 2009

portube2

Although this rogue is already known, I am surprised to see the low detection rate on VirusTotal:

portube3

Jerome Segura

Malware ID: d33e766d7fc6a984fe797816cc4af245.zip

  • Posted in Fake codecs, Rogue software
  • |
  • (0) comments
  • |
  • Add your comments

The Ukrainian connection

June 24th, 2009

The 195.95.151.174 IP address has a fair amount or malware domains pushing amongst other things scareware prgrams.

Fake VideoActiveX Object pop up:

rog

195.95.151.174 and its connections. Looks like a rake or some sea world animal, don’t you think?

24bil

This one is from Ukraine:

ua

Sites using that IP are dangerous, use caution.

Jerome Segura

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Antonella Barba used to deliver malware

June 12th, 2009

American Idol singer Antonella Barba’s name (and more!)  is being used in malware campaigns.

I found at least two different websites registered using her name, that are pushing malware.

barba2

barba3

The page is pretty straightforward… with the alleged video being the center of attention:

barba1

If you click on the video, it will redirect you to a page that tries to load streamviewer.40009.exe

barba4

The file is hosted on yet another domain created June 11, so still very recent.

barba5

A Robtex analysis reveals some interesting connections:

barba6

You can see the domain names for scareware programs:

barba7

The malware file is not very well detected:

barba8

A clue to what it might be doing as a payload is revealed by this Fiddler analysis:

barba9

It looks like some click fraud using ad banners:

barba11

barba12

Every now and again, amongst redirections and pop ups you will see it trying to push rogueware:

barba10

Once again, this is a reminder of how celebrities are used in malware attacks. Their private lives interest people, which makes them a prime target for hackers.

Warning: all links are live and can infect your PC.

Jerome Segura

  • Posted in Fake codecs, Rogue software
  • |
  • (0) comments
  • |
  • Add your comments

How old are you?

April 21st, 2009

That’s what I thought they asked me:

age3

If there is one thing that bothered me it was the word “Discreet”. ;-)

VirusTotal reveals that the file is fairly unknown:

age1

 

But boy, does it infect my machine when I execute it:

age2

Next time you’re asked for your age, say it’s not polite to inquire ;-)

Jerome

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Rogue apps playing on human nature…

February 25th, 2009

Oh boy, how many times have I seen the same warning messages…

This time we play the “you have been a naughty boy” trick ;-)

Funny that the same guys who bring you porn also warn you of the consequences of having adult material on your PC.

I found this forum post where a ‘good samaritain’ gives you the latest tips for FREE PORN!

adult11

Nice little tutorial:

adult21

(I like the “special software”, it’s special alright!!!!)

Wham! Bam! You are infected…

adult

Jerome

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Digg is linking to malware…

January 12th, 2009

Nothing new here, another social networking site which links to malware…

Of course the principle of Digg is to share interesting links and such…

The latest malware can be found by following the wrong links…

Fake movie codec delivers destructive malware payload:

The threat creates a huge list of scheduled task which are set to run more bad stuff:

Jerome

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

« Previous Entries



Location

You are currently browsing the archives for the Fake codecs category.




RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages

  • Live Malware Map
  • About
  • Contact Us



Malware Top 10

  • Privacy Center
  • Pro AntiSpyware 2009
  • Antivirus XP
  • Antivirus 2009
  • Antivirus 360
  • Internet Antivirus Pro
  • Ultimate Antivirus 2008
  • Ultimate Cleaner
  • Ultimate Defender
  • Renus



Archives

  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008



Categories

  • Botnets (2)
  • Exploits (14)
  • Fake codecs (14)
  • IM threats (1)
  • Keyloggers (1)
  • Mac security (4)
  • Malware Trends (64)
  • Phishing (5)
  • Research (25)
  • Rogue software (45)
  • Rootkits (2)
  • Uncategorized (66)
  • Wireless Security (1)



 
 
 

© 2009 ParetoLogic Inc.