‘Wake on Lan’ site hosts malware
Until today I did not know what wake on Lan was. That is until I came upon a site called “reveilpc.com” that I found out.
It’s an interesting feature that lets you remotely turn a computer on by sending ‘magic packets’ (I’m not making this up! lol).
Well, the site first got my attention because it was linking to malware.
The site’s IP address is: 213.246.56.31 and guess what’s in there?
…
A nasty EXE file!!!!
The file is a password stealing Trojan:
Jerome Segura
Malware ID: 1f919adedbaa909cd62d4e858fdf6bf3.zip
|
New Koobface variant
Caught this one in our Honeypots:
It’s a Koobface Worm variant and not really detected as of yet:
We proactively detect it with our Heuristic engine:
Jerome Segura
Malware ID: cd83349f99c282256ae428e6a4a3ae92.zip
|
Michael Jackson malware in Italian
As rumors run crazy about Michael Jackson’s death, one thing is for certain: malware authors are rejoicing.
This one is from an old friend (so to speak). Do you remember youtorube? Well, it is the same IP striking again:
Jerome Segura
Malware ID: 33956a21473022daf214311deb131135.zip
|
Michael Jackson Malware (cont.)
Malware authors are still using Michael Jackson’s death to attract people to their websites.
The site is registered to:
The list of sites from that IP is fairly long.
1. secretbooks.ru
2. daditraff.cn
3. sowonder.net
4. videonovelties.com
5. thebestfreevideos.us
6. freewarezsoft.com
7. remsovet.com
8. werulezz.com
9. www.breitlingreplicawatch.com
10. faqbud.com.ua
11. usaloanzone.com
12. gidroplant.ru
13. themedicaltest.com
14. valeyme.cn
15. www.marbletowngreen.com
16. bezrukavnikov.ru
17. www.usaloanzone.com
18. sportstopvideos.com
19. boosex.ru
20. dubrovskiy.net
21. tvori.com.ua
22. kinoget.ru
23. www.allforcalling.com
24. livevideo-gallery.cn
25. vipfan.ru
26. x5info.ru
Warning, these sites are dangerous and can infect your PC.
Jerome Segura
Malware ID: 9e7320768d2d4638678b3cc4caee294a.zip
|
Michael Jackson Malware
Only a few hours after Michael Jackson’s death, we are seeing malware using his name to propagate:
The file’s extension is .scr (normally used by screensavers). The icon looks like an old Windows Media Player file:
Upon running the file, the following web page opens up:
The malware opens up two new files:
And this is how it hooks into the system:
Jerome Segura
Malware ID: 664cb28ef710e35dc5b7539eb633abca.zip
|
Ali Baba and the Forty Thieves
When I was a kid, I used to love that tale about Ali Baba and the Forty Thieves.
They also made a French telefilm with unforgettable Fernandel.
If you wonder why I am reminisicing about the past, it’s because I stumbled upon this:
It seems the site had closed its door, so I pronounced the magic words “open sesame”.
and to my surprise golden and shiny malware appeared:
There is a bit of everything, kind of what Ali Baba found:
Nonaco, SillyProxy, Koobface and some new backdoors and trojans.
Watch out, the site is still live, magic words or not 
Jerome Segura
|
All too familiar Mac OS X Trojan
Mac Malware is definitely getting pushed in the wild.
Again this morning I stumbled upon yet another sample:
Sites listed on the same IP: 93.190.140
all-softfree.com
allsoft-free.com
megafucklist.com
porn-tube09.com
pornmegatube.net
porntubenew.com
tube4-fuck.com
tubeporn08.com
tubeporn09.com
www.allsoft-free.com
www.porn-tube09.com
www.pornmegatube.net
www.porntubenew.com
www.tubeporn08.com
www.tubeporn09.com
www.uporntube07.com
www.xxxporn-tube.com
xxxporn-tube.com
Beware, those links are live and serve malware for both the Mac and the PC.
Jerome Segura
|
The Mac Trail to 213.182.197
Since following this Mac Trojan I have come across several valuable links.
In particular I am investigating 213.182.197
Check out what’s on there:
base record name ip reverse route as
bests.at a 213.182.197.2 (none) ?
fcoder.at a 213.182.197.2 (none)
kirgo.at a 213.182.197.2 (none)
8070372.com a 213.182.197.4 (none)
zeus-logs.biz a 213.182.197.4 (none)
- 213.182.197.7 (none)
bestxvids.info a 213.182.197.8 mxs.newhostgroup.ru
freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.2todays.com a 213.182.197.8 mxs.newhostgroup.ru
mail.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.newhostgroup.ru a 213.182.197.8 mxs.newhostgroup.ru
mail.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru
mail.worldtube.su a 213.182.197.8 mxs.newhostgroup.ru
ns1.2todays.com a 213.182.197.8 mxs.newhostgroup.ru
ns1.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
ns1.good777.ru a 213.182.197.8 mxs.newhostgroup.ru
ns1.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
ns1.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
ns1.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru
ns1.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru
ns2.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
ns2.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
ns2.siteload.cn a 213.182.197.8 mxs.newhostgroup.ru
ns2.yesey.net a 213.182.197.8 mxs.newhostgroup.ru
ns2.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru
sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru
uniquexsoftware.com a 213.182.197.8 mxs.newhostgroup.ru
vipwarezz.com a 213.182.197.8 mxs.newhostgroup.ru
worldtube.su a 213.182.197.8 mxs.newhostgroup.ru
www.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
www.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
www.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
www.seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru
mxs.newhostgroup.ru ptr 213.182.197.8
ns2.bestxvids.info a 213.182.197.10 (none)
ns2.freewebxxx.info a 213.182.197.10 (none)
ns2.good777.ru a 213.182.197.10 (none)
ns2.mac-videos.com a 213.182.197.10 (none)
ns2.newhostgroup.ru a 213.182.197.10 (none)
ns2.viagrabe.com a 213.182.197.10 (none)
ns2.worldtube.su a 213.182.197.10 (none)
barmatuxa.info a 213.182.197.12 (none)
zapalinfo.info a 213.182.197.12 (none)
ns1.bestxvids.info a 213.182.197.13 (none)
ns1.hotfreexxx.info a 213.182.197.13 (none)
ns1.siteload.cn a 213.182.197.13 (none)
ns1.tube84.com a 213.182.197.13 (none)
wkontkte.ru a 213.182.197.13 (none)
hostnsload.cn a 213.182.197.14 (none)
mail.hostnsload.cn a 213.182.197.14 (none)
mail.megavipsite.cn a 213.182.197.14 (none)
mail.siteload.cn a 213.182.197.14 (none)
megavipsite.cn a 213.182.197.14 (none)
siteload.cn a 213.182.197.14 (none)
adultelitiest.ru a 213.182.197.20 (none)
dns-lv9720.com a 213.182.197.20 (none)
mail.dangerousteens.com a 213.182.197.20 (none)
mail.dns-lv9720.com a 213.182.197.20 (none)
mail.openstat.ws a 213.182.197.20 (none)
mail.toponline-video.net a 213.182.197.20 (none)
ns1.dns-lv9720.com a 213.182.197.20 (none)
ns2.dns-lv9720.com a 213.182.197.20 (none)
openstat.ws a 213.182.197.20 (none)
toponline-video.net a 213.182.197.20 (none)
- 213.182.197.21 (none)
ns1.freednshostserver.com a 213.182.197.23 (none)
ns2.bio-a.ru a 213.182.197.23 (none)
ns2.dub-dubom.ru a 213.182.197.23 (none)
ns2.icq-stanet-platnoy.ru a 213.182.197.23 (none)
ns2.iqdoza.ru a 213.182.197.23 (none)
ns2.lifezilla.ru a 213.182.197.23 (none)
ns2.litegreatestdirect.cn a 213.182.197.23 (none)
ns2.mixmediadirect.cn a 213.182.197.23 (none)
ns3.freednshostway.com a 213.182.197.23 (none)
- 213.182.197.28 (none)
traffanalizer.cn a 213.182.197.40 (none)
- 213.182.197.227 (none)
*.1st.abdulabah.cn a 213.182.197.229 (none)
1st.abdulabah.cn a 213.182.197.229 (none)
807037.com a 213.182.197.229 (none)
bjbotnet.cn a 213.182.197.229 (none)
domenzmonz.cn a 213.182.197.229 (none)
firex-labz.com a 213.182.197.229 (none)
groos.ru a 213.182.197.229 (none)
kazantipwords.ru a 213.182.197.229 (none)
lafi.babjr.cn a 213.182.197.229 (none)
mssys.net a 213.182.197.229 (none)
muhamed.cn a 213.182.197.229 (none)
odnoklassniki.groos.ru a 213.182.197.229 (none)
www.1st.abdulabah.cn a 213.182.197.229 (none)
www.abdulabah.cn a 213.182.197.229 (none)
www.acidbot.cn a 213.182.197.229 (none)
www.lafi.babjr.cn a 213.182.197.229 (none)
yes04ka.cn a 213.182.197.229 (none)
- 213.182.197.230 (none)
The sample flies totally under the radar, as shows this VirusTotal screenshot:
When you think it’s over, here is more from 213.182.197.13:
You can see the fake PornTube sites riddled with malware and, worth pointing out, a social networking site called Vkontakte. It is the equivalent of Facebook in Russia, Ukraine and Belarus.
It is not the real site though, a little typo, similar designs….
This, is the legitimate site:
The trail never seems to end! Fake codecs, illegal adult content, phishing sites… Stay clear off those sites!
Jerome Segura
|
Fake porn code generator
A little different this time (not a fake codec) but a porn site which requires a “code generator” in order to view the content.
The domain, veryhotmovs.com, appears to be registered to a Russian fellow:
Other domains listed on that IP (85.17.177.223):
rulesbians.com
devkitut.com
errorsmarty.com
rushotteens.com
viprusex.com
megacliks.com
decapcha.com
freerugirls.com
rusfreesoft.com
hothotvideo.com
celebfriendz.com
xxxruzone.com
freerashasex.com
vipadvert.com
forcedcash.com
rusanal.com
softcash.org
alotomictoolbar.com
porntube4u.com
rushardcorevideo.com
cutmyheart.com
ruscinema.com
mp3rash.com
viprugirls.com
vipochko.com
lena.viprugirls.com
rusparters.com
spy-defense.com
mylooksup.com
xkiskixx.com
gotoo.biz
Warning, those links are live and pushing malware!
Jerome Segura
|
419 Scam
This is an example of a 419 scam, also known as Nigerian scam.
It was found by our Office Manager, Marlee.
The scam artist asks you to send money in advance in order to receive a supposedly large lump sum.
Once you send the money in, you will either:
A) never hear from them again
B) need to pay another fee to complete the transaction
If B) works, they will try:
C) another final fee
and so on…
Some people have lost their entire life’s savings by falling victims to this kind of fraud.
(click to enlarge)
Jerome Segura
|
