Malware repo gets updated
This is an update from my previous post. I noticed an update to one of the pages on the malicious site
oymoma-tube.freehostia.com
Check the screen below and see the July 3rd time stamp:
The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec:
Upon execution, fake alert messages such as this one:
Eventually the scareware will run:
This sample is poorly detected, especially for being a variant of an already known rogue:
Paretologic detects this file as:
Jerome Segura
Malware ID: dcfe992aa25bb1849c1e9f8c2c5d3c5b.zip
|
Unsanitized repo of fake codecs
Sometimes spending the extra work hours pays off. Actually I kind of get into a groove after searching and things come easily… that is until my wife phones me up!
Anyway, I was investigating a site and checked its source code for anything of interest.
There was a strange link pointing to a gif file that I decided to follow.
It took me to this page, a nice little repository of malicious pages pushing fake video codecs:
oymoma-tube.freehostia.com
As you can see, some of the pages have just been updated today, while others are a little older.
Here are some examples of the pages hosted there. They also have redirect links to other malware sites.
Jerome Segura
And for our partners, I’ve uploaded to our FTP share some of the samples I could grab.
Malware ID: 0d23a0aa75658d81698c727261503628.zip
Malware ID: 6d3b3cd07df5db7f4512a503ace750ac.zip
Malware ID: da3f8fc504e1a640fbc0ae8da568dec7.zip
Malware ID: ee222a68e35225115a1dceac34026ab6.zip
|
New ad-clicker Trojan
Our Honeypots caught this drive-by download from the following site:
Looks like another blog… the word ‘porn’ is used, well, abundantly.
The site is registered to some guy in Panama.
Other domains sharing nameserver:
They all point to this fake codec site:
The malware file, as with many fake codecs is from exe-xxx-file.com.
A quick Virus Total analysis reveals that this file is pretty much unknown to most AV vendors:
If you happen to be infected with that Trojan, it will not go un-noticed:
Those links are dangerous, stay away unless you know what you’re doing.
Jerome Segura
Malware ID: 749ebc5c812c3d26022a4df847b11d09.zip
|
Fake Celebrities site drops malware
Thise site popped up on my radar… The fake Flash Player is malware, of course.
I was very surprised to see that only 3 AV vendors detect this threat!
Jerome Segura
Malware ID: 260f8513934016b9eafb6e9edf650c01.zip
|
Fake Porntube Malware
I came across yet another fake PornTube site.
The Whois for that domain is somewhat obscure!
The malicious file comes from another domain (eshymkent.cn), yet on the same IP
The malware file turns out to be a rogue app called Fast Antivirus 2009
Although this rogue is already known, I am surprised to see the low detection rate on VirusTotal:
Jerome Segura
Malware ID: d33e766d7fc6a984fe797816cc4af245.zip
|
The Ukrainian connection
The 195.95.151.174 IP address has a fair amount or malware domains pushing amongst other things scareware prgrams.
Fake VideoActiveX Object pop up:
195.95.151.174 and its connections. Looks like a rake or some sea world animal, don’t you think?
This one is from Ukraine:
Sites using that IP are dangerous, use caution.
Jerome Segura
|
Antonella Barba used to deliver malware
American Idol singer Antonella Barba’s name (and more!) is being used in malware campaigns.
I found at least two different websites registered using her name, that are pushing malware.
The page is pretty straightforward… with the alleged video being the center of attention:
If you click on the video, it will redirect you to a page that tries to load streamviewer.40009.exe
The file is hosted on yet another domain created June 11, so still very recent.
A Robtex analysis reveals some interesting connections:
You can see the domain names for scareware programs:
The malware file is not very well detected:
A clue to what it might be doing as a payload is revealed by this Fiddler analysis:
It looks like some click fraud using ad banners:
Every now and again, amongst redirections and pop ups you will see it trying to push rogueware:
Once again, this is a reminder of how celebrities are used in malware attacks. Their private lives interest people, which makes them a prime target for hackers.
Warning: all links are live and can infect your PC.
Jerome Segura
|
How old are you?
That’s what I thought they asked me:
If there is one thing that bothered me it was the word “Discreet”. 
VirusTotal reveals that the file is fairly unknown:
But boy, does it infect my machine when I execute it:
Next time you’re asked for your age, say it’s not polite to inquire
Jerome
|
Rogue apps playing on human nature…
Oh boy, how many times have I seen the same warning messages…
This time we play the “you have been a naughty boy” trick
Funny that the same guys who bring you porn also warn you of the consequences of having adult material on your PC.
I found this forum post where a ‘good samaritain’ gives you the latest tips for FREE PORN!
Nice little tutorial:
(I like the “special software”, it’s special alright!!!!)
Wham! Bam! You are infected…
Jerome
|
Digg is linking to malware…
Nothing new here, another social networking site which links to malware…
Of course the principle of Digg is to share interesting links and such…
The latest malware can be found by following the wrong links…
Fake movie codec delivers destructive malware payload:
The threat creates a huge list of scheduled task which are set to run more bad stuff:
Jerome
|
