Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 21 May 2009

Interforum LTD - Another Russian blackhat outfit

Interforum LTD are yet another Russian based blackhat outfit, involved in various activities, just one of which is rogue infections via Google poisoning.

This particular one starts at (IP: - with a URL that instantly screams "I'm gonna infect you, but I gots some really cool porn for you!";


Viewing the source code, shows us several rather interesting links;
hxxp:// (VirusTotal results)

I checked the tube.gif file, and the .js/.css files hosted on the GoogleCode URL, but couldn't see anything malicious, so is likely still in development.

So what does the URL actually look like? Well a WordPress blog actually. Though it also includes one of our very familiar looking "Woops, ya need a codec/flass to view this";

Clicking on this "video" results in our being take through (IP: - Real International Business Corp. - known malware block), and given a fake flash installer, identified as PrivacyCenter by NOD32 (quarantined it when I tried obtaining a copy);

This file is downloaded from;

Hint: promo1 is also valid as promo2/3 and the vname seems to be anything you like - it's just used as the name of the .exe to be downloaded
The IP, is shared by over 20 other malicious domains, including;


Net-block information for 91.212.132.*

inetnum: -
netname: Interforum-NET
descr: Interforum LTD
country: RS
org: ORG-IL161-RIPE
admin-c: SS11684-RIPE
tech-c: SS11684-RIPE
mnt-by: MNT-INTF
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-INTF
mnt-domains: MNT-INTF
source: RIPE # Filtered

organisation: ORG-IL161-RIPE
org-name: Interforum LTD
org-type: OTHER
address: 152155, Yaroslavskaya dist., Rostov, Lenin st. 34, Russia
mnt-ref: MNT-INTF
mnt-by: MNT-INTF
source: RIPE # Filtered

person: Sevrem Sofiev
address: SARAJEVSKA 37 11000 BELGRADE
phone: +381 11 313 2848
nic-hdl: SS11684-RIPE
mnt-by: MNT-INTF
source: RIPE # Filtered

:: Information related to ''

descr: INTF route
origin: AS49091
mnt-by: MNT-INTF
source: RIPE # Filtered

This block also appears to be directly related (see parent: 91.212.) to the group I blogged about, that are also involved in the poisoning (not really surprising) and blogged by Danchev earlier this week;

What is more interesting, is that one of the domains reported to me as being hacked, (IP: -, also suggests a possible relation to the group(s) responsible for the exploitation of the sites hosted by Lunarpages (and yes, those previously reported, are STILL carrying the malicious code - nice going there LunarPages!).



No comments: