Archive for the 'Malicious Domains' Category

21
May

Twitter Trending Topic Attack

Almost a full year has passed since we discovered the first trending topic attack on Twitter.  This time the attack came back in the same fashion, but it was much less aggressive than the prior attack thanks to the swiftly acting Twitter security team.

In this latest attack, the tweet messages were coupled with the trending topic items such as Justin Bieber, Oil Spill, and Official Twitter App.   The tweets all contained the text “haha this is the funniest video ive EVER SEEN!” followed by a link to the malware campaign.

In the following image, you can see the results of a search taken shortly after the attack started.  As you can see, the accounts were communicating via the Twitter API, so it’s safe to assume that the cyber criminals behind the attack used some sort of script to make it all happen.

Twitter_results

Clicking any of the URLs starts the redirection process to a website where a malicious file is downloaded using the technique known as “drive by download”, which runs this file automatically in the affected computer, without user’s awareness.

The malware site used for the attack is hxxp://pc-tv.tv/stickam/index2.html

In the following image you can see how it seems that a java complement is being loaded, which is necessary to view the video:

Twitter_java_site

However, if we look at the code of this website, you can see how it’s actually calling an EXE file, which belongs to the malware. It has been detected as W32/Lolbot.B.worm.

The code is the following:

Twitter_code

13
Jul

New rogue domain: personalonlinescanv3.com

Whois entry for personalonlinescanv3.com 83.133.126.155
Name: Yuvaraj K Jothi
Address: 88, Periyar EVR High Road
City: Chennai
Province/state: Chennai
Country: IN
Postal Code: 600007

Setup-fdbd6_02012.exe
Result: 2/41 (4.88%)
MD5: eb0111f5fd11420d70988bc21dcda65a
VirusTotal
ThreatExpert Analysis
hxxp://personalonlinescanv3.com/download/

13
Jul

New malware domain: hotexefiles.com

hxxp://besttubetech.com/xplays.php?id=40014&name=sahel+kazemi+dui+video&hostingtype=vox&theme=trends&category=hottrends&from=videoplayer

Whois entry for hotexefiles.com 64.20.38.172
Susan Field (susfie16@gmail.com)
1059 Rubaiyat Road
Grand Rapids
Michigan,49503
US
Tel. +001.56578987654

onlinemovies.40014.exe
Result: 8/41 (19.52%)
MD5: 2e02ea10960799a78792e39f5498adb6
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/

onlinemovies.40069.exe
Result: 2/40 (5%)
MD5: 35b979934376577e4429db4317e5184f
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/

SIDE NOTE: There may be a misconception as to the purpose of these posts. It is not posting a NEW malware variant or NEW malware altogether. These posts are simply to show the new domain it has switched to. I include the the binary downloaded as additional information because we add it to our database. Because the person(s) involved will not respond to my emails, I posted here.

Let’s not make assumptions people.

10
Jul

New malware domain: exe-cosmos.com

hxxp://tubessite.com/xplays.php?id=40069

Whois entry for exe-cosmos.com 64.20.38.172
Jennifer Ket (jennifket@gmail.com)
1120 Broadway Avenue
Johnson City
Tennessee,37601
US
Tel. +001.43459898760

onlinemovies.40014.exe
Result: 3/41 (7.32%)
MD5: 64a411cce0da8680576a5314eb6ce8e0
VirusTotal
ThreatExpert Analysis
hxxp://exe-cosmos.com/

onlinemovies.40069.exe
Result: 3/41 (7.32%)
MD5: a8148ab3190ae2d5b2765b10ded7228b
VirusTotal
ThreatExpert Analysis
hxxp://exe-cosmos.com/

09
Jul

New malware domain: red-exe.com

hxxp://go-go-tube.com/xplays.php?id=40069

Whois entry for red-exe.com 64.20.38.172
Tasha Chambers (tashcham@gmail.com)
2520 North Street
Kearns
Utah,84118
US
Tel. +001.98985647689

onlinemovies.40069.exe
Result: 0/40 (0%)
MD5: 39c1a48433c6de8c08d75926cb468d20
VirusTotal
ThreatExpert Analysis
hxxp://red-exe.com/

onlinemovies.40014.exe
Result: 0/40 (0%)
MD5: a24bcd49eb5d266d11fb2883a203ef76
VirusTotal
ThreatExpert Analysis
hxxp://red-exe.com/

09
Jul

Rogue domain: securedvirusscan.com

Whois entry for securedvirusscan.com 69.4.230.205
Privat person
Aleksandr Rozanov adsff@freebbmail.com
+74952783441 fax: +74952783441
ul. Peshkova 29-52
Moskva Moskovskay oblast 126106
ru

Setup-4e45_02022.exe
Result: 0/40 (0%)
MD5: abc17998e1b33fe99f60497010028523
VirusTotal
ThreatExpert Analysis
hxxp://securedvirusscan.com/download/

08
Jul

Multiple domains targeting pornographic videos distributing malware codec

Found these sites today while browsing on Google Video.  This redirection is triggered from having a video.google.com referrer and pushes the user through a few domains to redirect and download content.  It may be triggered by other video sites as well.  This is offering an HD codec for flash player and features a cute installation process when you visit the site.

hxxp://best.viralprn.net
Redirects to
hxxp://only.hdpornr.net
Loads files from
hxxp://tvcodec.net

Whois entry for viralprn.net 88.80.19.191

Whois entry for hdpornr.net 195.95.151.178

Whois entry for tvcodec.net 91.194.10.60
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Whois entry for hdenabled.com 213.163.66.241

Flash.Player.HD.v10.0.exe
Result: 12/41 (29.27%)
MD5: 947828203c38f7cc2e98277076b747a0
VirusTotal
ThreatExpert Analysis
hxxp://hdenabled.com/download/5a6a576343673d3d050cf77920090701/

08
Jul

New malware domain: exe-site.com

hxxp://go-go-tube.com/xplays.php?id=40069

Whois entry for exe-site.com exe-site.com
Queenie Ziegler (queeziegl@gmail.com)
4806 Green Avenue
Fremont
California,94536
US
Tel. +001.34980976583

streamviewer.40069.exe
Result: 0/40 (0%)
MD5: 7f14d9626761ac467f85b542028259e3
VirusTotal
ThreatExpert Analysis
hxxp://exe-site.com/




SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930