This particular one starts at fivespot-atl.com (IP: 64.128.80.103 - constitution.networkredux.net). with a URL that instantly screams "I'm gonna infect you, but I gots some really cool porn for you!";
hxxp://fivespot-atl.com/sew/21a.php?page=freegirlxxxvideos-cn-video
Viewing the source code, shows us several rather interesting links;
http://wewew.googlecode.com/files/nb.js
hxxp://fivespot-atl.com/sew/21a.php?pagefreegirlxxxvideos-cn-video
hxxp://fivespot-atl.com/sew/21a.php?page=hot-forced-crossdressing-stories
hxxp://fivespot-atl.com/sew/21a.php?pagefreegirlxxxvideos-cn-video
hxxp://wewew.googlecode.com/files/tube.gif (VirusTotal results)
I checked the tube.gif file, and the .js/.css files hosted on the GoogleCode URL, but couldn't see anything malicious, so is likely still in development.
So what does the fivespot-atl.com URL actually look like? Well a WordPress blog actually. Though it also includes one of our very familiar looking "Woops, ya need a codec/flass to view this";
Clicking on this "video" results in our being take through su7.us (IP: 88.214.200.145 - Real International Business Corp. - known malware block), and given a fake flash installer, identified as PrivacyCenter by NOD32 (quarantined it when I tried obtaining a copy);
http://www.virustotal.com/analisis/b8f4627d1a3b24f6214d14b7333ddd8f
This file is downloaded from secure-center-antivirus.com;
hxxp://secure-center-antivirus.com/promo1/get.php?aid=1240&vname=flash_player_setup
Hint: promo1 is also valid as promo2/3 and the vname seems to be anything you like - it's just used as the name of the .exe to be downloadedThe secure-center-antivirus.com IP, 91.212.132.12 is shared by over 20 other malicious domains, including;
antispyware-for-all.com
free-antivirus-engine.com
free-porn-xmovies.com
free-tube-video-central.net
free-xtube.com
free-xxx-central.com
hot-porn-tubes.com
my-porn-archive.com
porn-tube-host.com
porn-tubes-world.com
secure-center-antivirus.com
tubez-boobez.com
tubezzz-boobezzz.net
www.antispyware-for-all.com
www.free-porn-xmovies.com
www.free-tube-video-central.net
www.free-xtube.com
www.free-xxx-central.com
www.hot-porn-tubes.com
www.porn-tube-host.com
www.porn-tubes-world.com
www.secure-center-antivirus.com
www.tubez-boobez.com
www.tubezzz-boobezzz.net
www.xtube-xmovie.com
www.youporn-for-free.com
xmovies-downloads.com
xtube-xmovie.com
youporn-for-free.com
free-antivirus-engine.com
free-porn-xmovies.com
free-tube-video-central.net
free-xtube.com
free-xxx-central.com
hot-porn-tubes.com
my-porn-archive.com
porn-tube-host.com
porn-tubes-world.com
secure-center-antivirus.com
tubez-boobez.com
tubezzz-boobezzz.net
www.antispyware-for-all.com
www.free-porn-xmovies.com
www.free-tube-video-central.net
www.free-xtube.com
www.free-xxx-central.com
www.hot-porn-tubes.com
www.porn-tube-host.com
www.porn-tubes-world.com
www.secure-center-antivirus.com
www.tubez-boobez.com
www.tubezzz-boobezzz.net
www.xtube-xmovie.com
www.youporn-for-free.com
xmovies-downloads.com
xtube-xmovie.com
youporn-for-free.com
Ref:
http://hosts-file.net/pest.asp?show=91.212.132.
Net-block information for 91.212.132.*
inetnum: 91.212.132.0 - 91.212.132.255
netname: Interforum-NET
descr: Interforum LTD
country: RS
org: ORG-IL161-RIPE
admin-c: SS11684-RIPE
tech-c: SS11684-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-INTF
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-INTF
mnt-domains: MNT-INTF
source: RIPE # Filtered
organisation: ORG-IL161-RIPE
org-name: Interforum LTD
org-type: OTHER
address: 152155, Yaroslavskaya dist., Rostov, Lenin st. 34, Russia
e-mail: interforum.co@gmail.com
mnt-ref: MNT-INTF
mnt-by: MNT-INTF
source: RIPE # Filtered
person: Sevrem Sofiev
address: SARAJEVSKA 37 11000 BELGRADE
phone: +381 11 313 2848
nic-hdl: SS11684-RIPE
mnt-by: MNT-INTF
source: RIPE # Filtered
:: Information related to '91.212.132.0/24AS49091'
route: 91.212.132.0/24
descr: INTF route
origin: AS49091
mnt-by: MNT-INTF
source: RIPE # Filtered
netname: Interforum-NET
descr: Interforum LTD
country: RS
org: ORG-IL161-RIPE
admin-c: SS11684-RIPE
tech-c: SS11684-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-INTF
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-INTF
mnt-domains: MNT-INTF
source: RIPE # Filtered
organisation: ORG-IL161-RIPE
org-name: Interforum LTD
org-type: OTHER
address: 152155, Yaroslavskaya dist., Rostov, Lenin st. 34, Russia
e-mail: interforum.co@gmail.com
mnt-ref: MNT-INTF
mnt-by: MNT-INTF
source: RIPE # Filtered
person: Sevrem Sofiev
address: SARAJEVSKA 37 11000 BELGRADE
phone: +381 11 313 2848
nic-hdl: SS11684-RIPE
mnt-by: MNT-INTF
source: RIPE # Filtered
:: Information related to '91.212.132.0/24AS49091'
route: 91.212.132.0/24
descr: INTF route
origin: AS49091
mnt-by: MNT-INTF
source: RIPE # Filtered
This block also appears to be directly related (see parent: 91.212.) to the group I blogged about, that are also involved in the Live.com poisoning (not really surprising) and blogged by Danchev earlier this week;
http://ddanchev.blogspot.com/2009/05/gaztranzitstroyinfo-fake-russian-gas.html
What is more interesting, is that one of the domains reported to me as being hacked, tkdtutor.com (IP: 216.97.233.15 - xerxes.lunarpages.com), also suggests a possible relation to the group(s) responsible for the exploitation of the sites hosted by Lunarpages (and yes, those previously reported, are STILL carrying the malicious code - nice going there LunarPages!).
hxxp://tkdtutor.com/00Site/admin/restaurant-empire-trainers/masturebation-pics.html
Ref:
http://vurl.mysteryfcm.co.uk/?url=626046
Posts
No comments:
Post a Comment