[SecurityRatty] tag: codec

A Diverse Portfolio of Fake Security Software - Part Eight

Tue, 07 Oct 2008 03:21:00 +0000

In the spirit of "taking a bite out of cybercrime", here are the latest fake security software domains, typosquatted and already acquiring traffic through a dozen of malware campaigns redirecting to most of them :

antivirus-scanner-online.com (67.205.75.14)

archivepacker.com (78.157.142.111)
winpacker.com
xh-codec.net

securedownloadcenter.com (89.18.189.44)
winupdates-server.com
browserssecuritypage.com
megatradetds0.com

quickscanpc.com (78.159.118.144)
clickchecker6.com

gensoftdownload.com (91.203.93.25)

online-av-scan2008.com (66.232.105.232)
anothersoftportal09.com
bigfreesoftarchive.com
celebs-on-video-08.com
celebs-on-video-2008.com
cleansoftportal2009.com
hot-p0rntube.com
hot-porn-tube-2008.com
hot-porn-tube2008.com
hot-porn-tube2009.com
justdomain08.com
new-porntube-2008.com
online-av-scan2008.com

s0ftvvarep0rtal.com
s0ftvvareportal.com
s0ftvvareportal08.com
s0ftwarep0rtal08.com
softportalforfun.com
softportalforfun08.com
softportalforfun2008.com
softvvareportal.com
softvvareportal08.com
softvvareportal2008.com
trustedsoftportal06.com
trustedsoftportal2008.com

antivirus-online-08.com (89.187.48.155; 218.106.90.227)
anti-virus-xp.com
anti-virus-xp.net
anti-virusxp2008.net
antimalware09.com
antivirxp.net
av-xp08.net
av-xp2008.com
av-xp2008.net
avx08.net
axp2008.com
e-antiviruspro.com
eantivirus-payment.com
ekerberos.com
online-security-systems.com
xpprotector.com
youpornzztube.com

sp-preventer.com (92.241.163.32)
spypreventers.com

u-a-v-2008.com (92.241.163.31)
uav2008.com

power-avcc.com (92.62.101.57)
power-avc.com
pvrantivirus.com

m-s-a-v-c.com (92.62.101.55)
ms-avcc.com
ms-avc.com

wav2008.com (92.241.163.30)
wiav2009.com
win-av.com
windows-av.com
windowsav.com

You know the drill.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

A Diverse Portfolio of Fake Security Software - Part Six

Wed, 24 Sep 2008 14:29:31 +0000

Thanks to misconfigured traffic management kits, not taking advantage of all the built-in features that could have made a research a little bit more time consuming, here are the latest fake security software domains popping up at the end of fake adult content sites :

anti-spyware8 .com
anti-spyware4 .com
anti-spyware11 .com
anti-spyware10 .com
antivirus-cs1 .com
antivirus-cs14 .com
antivirus-cs4 .com
antivirus-cs15 .com
antivirus-cs5 .com
antivirus-cs7 .com
antivirus-cs8 .com
antivirus-cs9 .com
trustedpaymenssite .com
altawebgl-500 .com
masterspitetds09 .com
protectionaudit .com
prt3ctionactiv3scan .com
prtectionactivescan .com
smartantivirusv2 .com
smartantivirus2009v2 .com
smartantivirus2009v2-buy .com
smartantivirus-2009v2buy .com
smart-antivirus2009v2buy .com
anti-virus-xp .com
anti-virus-xp .net
e-antiviruspro .com
ultimate-anti-virus .com
antimalwarewarrior2009 .com
spyware-buy .com
superantivirus2009 .com
total-secure2009 .com
pcprivacycleanerpro .com
bestguardownload .com
trustedantivirus .com
antivirus-buy1 .com
spyware-quickscan-2008 .com
securealertbar .com
secureclick1 .com
megantivirus2009 .com
micro-antivirus2008 .com
superantivirus2009 .com
advanced-anti-virus .com
antivirusmaster2009 .com
scanner-online1 .com
internet-scanner2009 .com
filescheck-list303 .com
virus-webscanner .com
virus9-webscanner .com
spamnuker .com
detect-file101 .com
googlescanners-360 .com
onlinescannersite9 .com
bestantivirusscan .com
hottystars .com
internet-defenses .com
globals-advers .com
quickupdates29 .com
myscanners101 .com
myfreescan500 .com
scanthnet .com
scanners-pro .com
megatradetds0 .com
xp-licensingpages .com
bestantivirusscan .com

power-avc .com
pvrantivirus .com
online-xp-antivirus-checker .com
antivir-online-scan .com
online-win-xpantivirus .com
tube-911 .com
favoredmovie .com
getqtysoftware .com
softwareportal2008 .com
megazcodec .com
soft-upgrade-network .com
download-base .com
fastsoftdownloads .com
software-downloadz .com
download-soft-basez .com
plupdate .com
0scan .com
virus-online-scan .com
0scanner .com
porno-tds .com
jirolu .com
virus-online-scanz .com
red-tubbe .info
win-xp-antivir-hqscanne .com
xp-protections .com
xp-registration .com
xp2008-protect .com
getdefender2009 .com
gettotalsec2008 .com
msantivirus-xp .com
xp-licensingpages .com
protectionpurchase .com
winxp-antivir-on-line-scan .com
antispychecker .com
errorofbrowser .com
fresh-video-news .com
newschannel2008 .com
internet--daily-news .com
secure.signupsecurity .com
xpacodec .com
xpbcodec .com
gmkvideo .com
hqsextube08 .com
antivirusworld9 .com
viacodecright1 .com
viacodecright2 .com
quickupdates29 .com
antivirusworld9 .com
scanthnet .com
city-codec .com
citycodec .net
codecdownload.anothersoftportal09 .com
viacodecright2 .com
sextubecodec023dfs41 .com
hot-sextubedriver2 .com
viacodecright2 .com

The Diverse Portfolio of Fake Security Software series are prone to continue taking a bite out of cybercrime, and the people who distribute them on a affiliation based revenue sharing model.

Related posts:
Fake Porn Sites Serving Malware - Part Three
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
EstDomains and Intercage VS Cybercrime
Fake Security Software Domains Serving Exploits
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Louisville ISSA Nmap presentation slides and media posted

Thu, 04 Sep 2008 17:07:08 +0000

I've posted the slides and related media for the Nmap presentation I'm giving Friday (Sept 5) for the Kentuckiana ISSA. You should be able to find the codec for the videos in the zip file. If you plan to come to the free class at Ivy Tech (Sellersburg Indiana) on the 20th please contact me.

Louisville ISSA Nmap presentation slides and media posted

Thu, 04 Sep 2008 17:07:08 +0000

Louisville ISSA Nmap presentation slides and media posted

Thu, 04 Sep 2008 17:07:08 +0000

A Diverse Portfolio of Fake Security Software - Part Five

Tue, 02 Sep 2008 01:04:58 +0000

The "campaign managers" behind these fake security software propositions are not just starting to take park them at up to three different locations, localize the sites to different languages and introduce client-side exploits, just in case the end user gets suspicious and doesn't install it, but also, the natural evasive practices. For instance, once some of their domains get detected and blocked, they put them in a stand by mode and relaunch them online in a week or so, or ensure that only those coming to the domains from where they are supposed to come - yet another blackhat SEO or SQL injection attack - are the only ones getting to see the download screen.

Some of the new additions parked at the same IPs offered by the "known suspects" include :

main-scanner .com - (77.244.220.138; 78.159.97.247; 89.149.209.251; 212.95.37.154)
scanner-mainpro .com
scanner-online1 .com
alldiskscheck300 .com
myscanners101 .com
download-a1 .com
scanner-online1 .com
multilang1 .com
ratemyblog1 .com
multisearch1 .com
filescheck-list303 .com
woodst-sale .com
scanner-mainpro .com
main-scanner .com
directrevisions .com

supersolution-freeantivirus .com - (213.155.2.69)
antivirus-bestsolution .net
antivirus4protection .net
antivirusproxp .com
freebest-antivirus .net
goodantivirus-free .net
noadwareantivirus .com
pwrantivirus2009 .com
solution-freeantivirus .com
supersolution-antivirus .com
supersolution-freeantivirus .com
antivirusdwl .com
securesoftdl .com
viva-codec .com
win-antivirus-protect .com
avxp-2008 .net
antivirusq .net
antivirus2008b .net
antivirus2008m .net
antivirus2008n .net
antivirus2008v .net
antivirus777 .com
antivirusq .net
antivirusr .net
antivirust .net
antivirusw .net
antivirusu .net
expressantivirus2009 .com
spywarezscan .net
antispywareq .net
free-anti-spywaree .net
avcheckyourpc .net

software-for-me08 .com - (78.157.143.250)
software-for-me-08 .com
softwarefor-me2008 .com
softwarefor-me-2008 .com
software-forme08 .com

doctor2antivirus .com - (217.112.94.226; 87.248.163.56)
doctor5antivirus .com
doctor6antivirus .com
doctor7antivirus .com
doctor8antivirus .com
doctorantivirus2008a .com
doctor-antivirus .com
bcodecnow .net

mysoftwarefreezone .com - (91.203.92.97)
hotvid44 .com
totsec2009 .com
getdefender2009 .com
totalsecure2009 .com
myveryprivatevid .com
mustseethatvid .com
onlythebestvid .com
ie-antivirus-order .com
ie-anti-virus .com
secure-order-box .com

secureexpertcleaner .com - (89.149.227.50)
bestxpclean2008 .com
virusremover2008 .com
registrydoctor2008 .com
securefileshredder .com
hypersecurefileshredder .com
bestsecureexpertcleaner .com

getdefender2009 .com - (58.65.238.34)
malwarebell .com
free-viruscan .com
tmptmpservvv .com
cometoseemyshow .com

getneededsoftware .com - (91.203.93.25)
gettotalsec2008 .com
thedownloadvid .com
scan.pc-antispyware-scanner .com
totalsecure2009 .com

wista-antivirus2009 .com - (216.255.179.203)
usawindowsupdates .com - (85.17.143.213)
mswindowsupdates .com

The campaigns and the hosting providers are continuously monitored, especially taking into consideration the fact that the domains are already appearing in Alexa's web rankings with sudden peaks of traffic.

Related posts:
Fake Security Software Domains Serving Exploits
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Holy Media Codecs, Batman!

Wed, 27 Aug 2008 06:10:53 +0000

Batman is still in full swing at the box office - I'm sure me seeing it seven times probably didn't hurt - so with that in mind (and thoughts of the Zango / Dark Knight issue still rattling around my brain) I thought it would be fun to see exactly how quickly it can all go wrong when looking for Dark Knight material online.

The answer is: extremely quickly.

There's a lot of sites out there claiming to carry "full versions" of The Dark Knight, and although they don't offer Zango, they do offer fake media codecs (which usually do all sorts of horrible things to a computer). Let's pull one of these sites apart as an example of how the scam fits together.

Here's a typical site pushing what they claim to be The Dark Knight:

Click to Enlarge

Dijgg(dot)com, an obvious Digg.com knockoff apparently hosting a large streaming window - the movie quality will be awesome, won't it? Well, actually, no it won't.

In the middle of the video window is a popup:

Install the "codec", and this won't end well. The EXE comes from a site called Favoritetube(dot)com:

A quick check for the safety ratings of that website should be enough to tell you this is a scam. Indeed, there isn't even a movie being streamed here (despite it saying "Connecting" at the bottom of the movie player) - because if you right click on the player itself:

You can see the "player" is actually just a static image (because I'm given the option to "Copy Image Location"). The image is hosted at Favoritetube, just like the "codecs":

Click to Enlarge

There are quite a lot of these sites floating around out there at present:

Click to Enlarge

At this point, it's a given that I'm going to show you what happens if you install one of the files typically pushed from the above sites, right? Well, wait no longer - this....

...will deposit a rogue antispyware tool on your desktop (one of more more obnoxious ones that refuses to leave you alone):

Click to Enlarge

Strange and annoying icons will start to creep across your desktop:

....and you'll have more fake system alerts than you can shake a very large stick at:

This concludes my public safety announcement. I'm off to see Dark Knight again...

Fake Porn Sites Serving Malware - Part Three

Tue, 26 Aug 2008 05:02:26 +0000

Continue the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale .com
bcodecnow .net
best-tranny .com
bestguyportal .com
bestmoviez .com
central-xxx .com
downlfreesexgirlbeach .com
gallery-boy .com
hiosexywomensxxxgirlsx .com
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com
the0download .com
wikiei .com
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

Facebook Worm Still Going Strong

Mon, 25 Aug 2008 05:57:04 +0000

A colleague of mine had a private message sent to them on Facebook yesterday from the account of a friend. The message is related (of course) to the recent Facebook worm:

Click the link, and you'll see something like this:

Click to Enlarge

Yes, it's Ye Olde Fake Codec installer, hosted on what appears to be a hacked website. As always, pay close attention to what you're being sent from your friends. If it doesn't seem like something they'd send you, that's probably because they didn't...

The Template-ization of Malware Serving Sites

Thu, 10 Jul 2008 12:59:13 +0000

Just like web malware exploitation kits and phishing pages turned into a commodity underground good, allowing easy localization to different languages, and of course, the natural lowering of entry barriers into web malware and phishing in general, the very same thing is happening with fake ActiveX templates like the ones used on the majority of fake porn and celebrity sites I've been assessing recently.

The increase of these bogus ActiveX templates is due to the fact that despite they are currently available for sale, buyers appear to be leaking them for everyone to use so that they can continue maintaining their current business models, namely, the services they offer with the ActiveX templates. Unethical competitive practices among cybercriminals and scammers are only to starting to take place with one another trying to ruin or extend the lifecycle of their services.

Talking about prevalence, the TonsOfPorn ActiveX remains the most widely used rogue ActiveX in the majority of fake codec campaigns for the last couple of months. The ActiveX is largely abused by using another fake porn site template for PornTube, which in combination result in nothing more than huge domain portfolios with no content at all if we exclude the Zlob variants.

And while template-tization means more efficient malware campaigns, it also results in a common pattern for generic detection of such sites. For instance, the folks at Finjan did an experiment by verifying the signature based detection of the common javascript file that was used in the ongoing waves of SQL injection attacks. Their conclusion :

"Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious...... surprisingly enough."

When assessing malware campaigns in general, I usually do the same for the record. Storm Worm's use of ind.php for executing its set of exploits has the same detection rate - scanners result: 10/33 (30.30%) and is detected as JS.Zhelatin.zb.

Getting back to the TonsOfPorn ActiveX, it's structure is more static than a Red Army statue in Estonia, making it easy to proactively protect against, no matter the domain, no matter the exploits served. It's detection rate is close to the javascript from the SQL injection attacks - Scanners Result: 9/33 (27.28%) and is detected as Trojan.HTML.Zlob.L.

From my personal experience, blocking an IP address where a couple of hundred malicious domains remain parked, is just as useful as blocking a single domain acting as the main redirector behind a huge domains portfolio of malicious domains. However, the most beneficial approach on a large scale remains the practice of taking care of the most obvious patterns that still remain faily easy to detect, at least for the time being, due to the efficiency the people behind them aim to achieve, making them easily susceptible to generic detection approaches.