Archive for March, 2009

23
Mar

Fake Reuters news story featuring Waledac malware

By mwdisector Comments
Categories: Database Update, Malicious Domains, Malicious Links and Malware

The fake video player tactic continues with fake news websites popping up from the underworld ready to *play* on your Windows computer. The story does not end well for the computer owner as their system will be totally compromised ready for the criminals to do what they want. The malware that’s on these websites are Waledac trojans.fake-reuters-story-malware-site

hxxp://ynh.bestbreakingfree.com/main.php
leads to –> hxxp://ynh.bestbreakingfree.com/contact.exe

contact.exe
VirusTotal.com scan (8/39) detected as Waledac trojan:
http://www.virustotal.com/analisis/69c00e90f104010ecaea376ffa124a7a

WARNING: Malicious code on sites identified below, visit at your own risk!
Domains & IPs:
ynh.bestbreakingfree.com (67.180.35.24)
ns6.goodnewsdigital.com
ns1.urbanfear.com
ns4.spacemynews.com
ns6.wapcitynews.com
ns1.worldnewsdot.com
ns4.urbanfear.com
ns1.antiterrornetwork.com
ns6.bestusablog.com
ns3.bestlifeblog.com
ns2.urbanfear.com
ns3.blogsitedirect.com
ns6.antiterroralliance.com
ns2.tntbreakingnews.com
ns3.blogginhell.com
ns3.breakingkingnews.com
ns6.breakingnewsltd.com
ns1.breakingnewsltd.com

–mwdisector

11
Mar

Google serving up NASCAR news story leading to evil links

By mwdisector Comment
Categories: Database Update, Malicious Domains, Malicious Links and Rogue Security Software

WARNING: Some domains and websites listed are full of EVIL!google-link-screenshot-highlight

I’m not a NASCAR fan but a buddy of mine is.  So when he told me about a virus scan starting on his PC after visiting a NASCAR link I became interested.  After looking into this deeper I discovered a rogue security software being served up drive-by fashion when you clicked on a link served up by Google.

It’s found when you enter “NASCAR Atlanta Jimmy Watts” into Google.  I guess this NASCAR driver had some crew issues resulting in some suspensions – obviously a popular enough news story for the criminals to use it to push their fake warez.

The evil links served up are:
hxxp://5.hotnews.xorg.pl/19.php
hxxp://3.cnnnews.xorg.pl/91.php

Clicking on one of these (DON’T ADVISE IT) will redirect to another website which will then present you with a prompt saying your machine contains signs of viruses amd malware and then wants you to run a scan, using their fake scan of course.  At end of the scan it will show you all the malware it found on your machine, incidently none of those are actually on your computer, and then installs some evil software on your system.

 

Let’s follow the bouncing rogue software links…

Google search URI:
http://www.google.com/search?hl=en&q=NASCAR+Atlanta+Jimmy+Watts&btnG=Search

Serves up the following bad links (visiting with IE):
hxxp://5.hotnews.xorg.pl/19.phprogue-sec-sw-fake-scan

hxxp://3.cnnnews.xorg.pl/91.php

These links redirect users to fake security software using drive-by install tactics:

hxxp://xp-police-09.com/lands/promo3

 

Digging a little deeper into the “xorg.pl” domain we find more evilness (with plenty of redirects):
hxxp://clubs.epxbbx.xorg.pl/map.html
–> hxxp://advertisechoice.cn/soft.php?aid=025304&d=1&refer=729adbe66

—–> hxxp://bestantimalwarescanner.com/promo/1/freescan.php?nu=77025304&back=%3DTQx4jj3NQMMMI%3DM

 

evil-google-link1Domains/IPs:
xp-police-09.com (206.125.44.28)
3.hotnews.xorg.pl (213.155.2.37)
5.hotnews.xorg.pl (213.155.2.37)
clubs.epxbbx.xorg.pl (89.149.207.139)
advertisechoice.cn (83.133.126.201)
bestantimalwarescanner.com (194.165.4.7, 209.160.20.117)



 

March 2009
M T W T F S S
« Feb   Apr »
 1
2345678
9101112131415
16171819202122
23242526272829
3031