More Mini Me Malware

September 16th, 2009

Mini me, AKA Verne Troyer is generating a lot of interest which the bad guys are capitalizing on.

By the way, the binary is VM sensitive… If you want a real analysis, you may need to use a real PC.

Jerome Segura

Malware ID: e7968e49b1ff6be0e314b625ecb0b5bd.zip

A few nasties off porn sites

September 9th, 2009

Our honeypots have identified a few poorly identified Trojans installing rogues, coming from these domains:

vaszxry5.ru
jhyuj76.ru

Their IP is 61.235.117.88

The Bait:

The hit on the back of the neck:

1 lonely detection on VirusTotal:

Jerome Segura

Malware ID: b157106188c2debab5d2f1337c708e35.zip

Office of National Drug Control Policy’s website redirects to malware

September 4th, 2009

The following page http://adgallery.whitehousedrugpolicy.gov/members/Miley-Cyrus-Nude/default.aspx

tricks you into watching a Miley Cyrus nude video.

For one thing, the page is hosted on (whitehousedrugpolicy.gov) the Office of National Drug Control Policy (ONDCP)

and there is no such video but a classic fake codec page:

VirusTotal detects the file as:

If you’re trying to quit drugs, porn may not be the best alternative.

Jerome Segura

Malware ID: c92ca378fa83980a41156698a7f19a6b.zip

Angelina and Zango cash

September 4th, 2009

I came across the following site today: angelinajmovies.cn

If you browse the site you immediately get a file:

which VirusTotal detects as:

If you refresh the page you now get this second file (sorry I used Firefox here, but you get the same result in IE):

which VirusTotal detects as:

And if you refresh the page angelinajmovies.cn for a third time you get:

Wait, let’s zoom in a little bit:

Yes, you see it right, Zango it is.

Dreamcatcher player, sorry DreamMediaPlayer or whatever.

The landing page reminds me so much of the fake codec pages. I bet they might even have used the same template.

Bad on all fronts!

Jerome Segura

Malware ID: 67e252ee84a6b5d0e2706ccc3e36a106.zip

Malware ID: bea4676cddd48770b56c54db8b07f370.zip

Malware ID: c115d8251fe12d92567e55cad1d379e9.zip

Boom boom malware

September 1st, 2009

Just stumbled upon boomexesite.com which hosts a poorly detected Trojan (3/41)

Other sites on that IP 64.20.55.163, courtesy of Steven (Ur IT Mate):

Full link here.

Virus Total scan:

Jerome Segura

Malware ID: e561f6830925f4783b1989f54b5382df.zip

More Koob to the face

August 5th, 2009

This is an example of a webpage hosted on an infected PC:

It looks like the real deal, but it’s not.

In fact, the malware authors behind this have not spent too much time crafting the page: They took snapshots of existing ads and templates and just pasted them as individual GIF or JPEG.

But hey, it works, doesn’t it?

Jerome Segura

Rogueware buys you BMWs

July 31st, 2009

As I was investigating some fake codec sites, late on a Friday night, I stumbled upon this one:

The malware is hosted on downloadxxtube.com. Interestingly enough, the page is totally open for the curious like me. You can see an “exe” folder where that file is hosted, but the thing that first caught my attention was those BMW pics…

Is that what online criminals dream of?

Don’t get me wrong, I think BMWs are splendid cars and if I had the budget I would be more than tempted!

The domain registratio info below. Created mid-July.

File detection on VirusTotal:

There is another domain hosting the same payload on that IP (78.159.98.70): showmeall-tube-xx.com

Ah… a sports car. Maybe some day…

Jerome Segura

Searches for Erin Andrews’s nude video link to malware

July 21st, 2009

As the sports journalist and her lawyer are trying to catch the authors of this disgraceful act, malware authors are capitalizing on the key words for their SEO campaigns.

You will see several blogs or other links to the supposed video. However, many of them will direct you to malware in the form of fake codecs.