Fake porn, fake watches and hacking your wallet
Fake porn sites (real Trojan Horses), fake watches (real scams), password cracking (wallet cracking) : Welcome to the world of online crime!
All these sites were taken from the same IP address, namely 210.51.187.{sanitized}. I’m going to show you a wide portfolio of online threats and scams.
To start off, a fake porn site called Pornotube pushes some mailicious files onto your computer. There is the nice way (an EXE file) or the hard way (a malicious PDF).
The files are detected by most AV products:
Oh, and there’s the cousin website as well, with another PDF exploit ‘in-your-face’. Those sites are nasty looking, but that’s another story.
Now, on to the fake watches. What better way than putting a bit of a Swiss flag in there too… Yes, the Swiss are known for their quaility products, and watches in particular. The first time I flew to Geneva, I was amazed by just how many ads and posters of watches were all throughout the airport. If you take a walk near lake Geneva (le Leman), you will see many old buildings with big signs on them, such as Omega, TAG Heuer etc. I stopped in front of a Cartier store to look at some of the watches, of course none of them had price tags on 
You may get the feeling that I like watches hehe… I have a nice (although modest) Swiss Military watch.
Back to our story, here is a “replica” site… I personally would call it a “counterfeit” store, but it wouldn’t sound as nice, would it? They offer “Free shipping worldwide”, how convenient! I really hate counterfeit stuff. Recently I read an article about that industry in China and it really is an out of control problem.
Finally, a page designed for those who want to hack the Russian version of Facebook (vkontakte.ru):
I had Google translate the Russian text for me:
Payment can be made through one of these institutions:
Anything else for you today?
Please note that ICQ hacks are on the ‘winter sale’:
Don’t forget to use the:
Jerome Segura
Warning: all links contained in this post may be dangerous!
|
VirtualBox less and less effective for malware analysis
About 2 years ago, I switched from VMware to VirtualBox. There were mainly two reasons why:
- VirtualBox was free
- VMware was giving me poor results when analyzing samples (Virtualization detection)
Well, today VirtualBox is still free, but it seems to be plagued by the same problems as far as malware detecting the virtual environment.
Many samples will have a totally different behaviour when analzyed in a VM such as:
- do nothing
- delete themselves
- do a minor payload
It is quite tricky to detect if a sample is VM-aware, for the reasons outlined above. So, at the end of the day, we are missing out on some really prevalent samples that people will get infected with.
Take this rogue for example, Security Tool.
Under a VM, it does nothing; in a real PC it installs and runs just fine:
Does that explain why some of the big players are not detecting it? I’m refering to Kaspersky, Symantec, F-Secure, Panda?
It looks like it’s time to go back to the real machines for good.
Jerome Segura
Malware ID: 37e6447f055641903d1c17a11eb1b592.zip
|
Koobface Worm on the rise again
In the past few days, I’ve seen a fair number of Koobface worms being spread.
My Russian is a little rusty, so I hope it does not say something offensive
This is what our HoneyPots have recorded since July 1st:
www.bnmq.com;82.19.199.223/pid=30937/setup.exe;7/6/2009 11:52:51 AM;7/6/2009 11:52:51 AM
www.bnmq.com;90.8.115.225/pid=30937/setup.exe;7/6/2009 11:52:51 AM;7/6/2009 11:52:51 AM
wpills.info;62.42.136.234/pid=30937/setup.exe;7/6/2009 10:40:20 AM;7/6/2009 10:40:20 AM
of-best.ru/18;69.253.126.166/pid=30937/setup.exe;7/6/2009 2:52:16 AM;7/6/2009 2:52:16 AM
of-tube.ru/analnij;89.117.93.205/pid=30937/setup.exe;7/6/2009 2:03:01 AM;7/6/2009 2:03:01 AM
wpills.info;95.52.12.5/pid=30937/setup.exe;7/5/2009 12:11:51 PM;7/5/2009 12:11:51 PM
www.wpills.info;86.120.67.34/pid=30937/setup.exe;7/5/2009 12:11:51 PM;7/5/2009 12:11:51 PM
webshoulder.com;83.255.102.213/pid=30937/setup.exe;7/5/2009 10:59:27 AM;7/5/2009 10:59:27 AM
freese-x.net;64.252.251.203/pid=11640/type=videxp/setup.exe;7/5/2009 8:14:10 AM;7/5/2009 8:14:10 AM
www.bnmq.com;24.10.185.103/pid=30937/setup.exe;7/4/2009 11:54:59 AM;7/4/2009 11:54:59 AM
www.bnmq.com;86.63.248.5/pid=30937/setup.exe;7/4/2009 11:54:59 AM;7/4/2009 11:54:59 AM
wpills.info;82.234.15.92/pid=30937/setup.exe;7/4/2009 10:42:34 AM;7/4/2009 10:42:34 AM
tubemov.com;67.206.207.29/pid=11640/type=videxp/setup.exe;7/3/2009 10:47:25 PM;7/3/2009 10:47:25 PM
freese-x.net;76.254.150.45/pid=11640/type=videxp/setup.exe;7/3/2009 5:12:42 PM;7/3/2009 5:12:42 PM
wpills.info;98.238.203.81/pid=30937/setup.exe;7/3/2009 11:38:13 AM;7/3/2009 11:38:13 AM
www.wpills.info;76.204.18.251/pid=30937/setup.exe;7/3/2009 11:38:13 AM;7/3/2009 11:38:13 AM
tubemov.com;60.49.118.173/pid=11640/type=videxp/setup.exe;7/1/2009 10:49:50 PM;7/1/2009 10:49:50 PM
If you study those links in depth, you will find even more malware.
Virus Total Detection
Jerome Segura
Malware ID: b054ff88fdd28d41a27af2e8ee919b73.zip
|
‘Wake on Lan’ site hosts malware
Until today I did not know what wake on Lan was. That is until I came upon a site called “reveilpc.com” that I found out.
It’s an interesting feature that lets you remotely turn a computer on by sending ‘magic packets’ (I’m not making this up! lol).
Well, the site first got my attention because it was linking to malware.
The site’s IP address is: 213.246.56.31 and guess what’s in there?
…
A nasty EXE file!!!!
The file is a password stealing Trojan:
Jerome Segura
Malware ID: 1f919adedbaa909cd62d4e858fdf6bf3.zip
|
New Koobface variant
Caught this one in our Honeypots:
It’s a Koobface Worm variant and not really detected as of yet:
We proactively detect it with our Heuristic engine:
Jerome Segura
Malware ID: cd83349f99c282256ae428e6a4a3ae92.zip
|
Michael Jackson malware in Italian
As rumors run crazy about Michael Jackson’s death, one thing is for certain: malware authors are rejoicing.
This one is from an old friend (so to speak). Do you remember youtorube? Well, it is the same IP striking again:
Jerome Segura
Malware ID: 33956a21473022daf214311deb131135.zip
|
Michael Jackson Malware (cont.)
Malware authors are still using Michael Jackson’s death to attract people to their websites.
The site is registered to:
The list of sites from that IP is fairly long.
1. secretbooks.ru
2. daditraff.cn
3. sowonder.net
4. videonovelties.com
5. thebestfreevideos.us
6. freewarezsoft.com
7. remsovet.com
8. werulezz.com
9. www.breitlingreplicawatch.com
10. faqbud.com.ua
11. usaloanzone.com
12. gidroplant.ru
13. themedicaltest.com
14. valeyme.cn
15. www.marbletowngreen.com
16. bezrukavnikov.ru
17. www.usaloanzone.com
18. sportstopvideos.com
19. boosex.ru
20. dubrovskiy.net
21. tvori.com.ua
22. kinoget.ru
23. www.allforcalling.com
24. livevideo-gallery.cn
25. vipfan.ru
26. x5info.ru
Warning, these sites are dangerous and can infect your PC.
Jerome Segura
Malware ID: 9e7320768d2d4638678b3cc4caee294a.zip
|
Michael Jackson Malware
Only a few hours after Michael Jackson’s death, we are seeing malware using his name to propagate:
The file’s extension is .scr (normally used by screensavers). The icon looks like an old Windows Media Player file:
Upon running the file, the following web page opens up:
The malware opens up two new files:
And this is how it hooks into the system:
Jerome Segura
Malware ID: 664cb28ef710e35dc5b7539eb633abca.zip
|
Ali Baba and the Forty Thieves
When I was a kid, I used to love that tale about Ali Baba and the Forty Thieves.
They also made a French telefilm with unforgettable Fernandel.
If you wonder why I am reminisicing about the past, it’s because I stumbled upon this:
It seems the site had closed its door, so I pronounced the magic words “open sesame”.
and to my surprise golden and shiny malware appeared:
There is a bit of everything, kind of what Ali Baba found:
Nonaco, SillyProxy, Koobface and some new backdoors and trojans.
Watch out, the site is still live, magic words or not
Jerome Segura
|
All too familiar Mac OS X Trojan
Mac Malware is definitely getting pushed in the wild.
Again this morning I stumbled upon yet another sample:
Sites listed on the same IP: 93.190.140
all-softfree.com
allsoft-free.com
megafucklist.com
porn-tube09.com
pornmegatube.net
porntubenew.com
tube4-fuck.com
tubeporn08.com
tubeporn09.com
www.allsoft-free.com
www.porn-tube09.com
www.pornmegatube.net
www.porntubenew.com
www.tubeporn08.com
www.tubeporn09.com
www.uporntube07.com
www.xxxporn-tube.com
xxxporn-tube.com
Beware, those links are live and serve malware for both the Mac and the PC.
Jerome Segura
|
