Monday, January 11, 2010

Malicious Site Reports: Dangerous .RU Domains

The following .ru domains were all privately registered on one of two dates (2009.10.28 or 2009.11.22), were all last updated on the same date (2010.01.11), and all have been reported by Websense Security Labs, Malware Domain List, or others as being malicious.  Following are links to each domain's Web of Trust report:

http://www.mywot.com/en/scorecard/ampsguide.ru
http://www.mywot.com/en/scorecard/bestbob.ru
http://www.mywot.com/en/scorecard/burkewebservices.ru
http://www.mywot.com/en/scorecard/carswebnet.ru
http://www.mywot.com/en/scorecard/funwebmail.ru
http://www.mywot.com/en/scorecard/greatwebradio.ru
http://www.mywot.com/en/scorecard/guidebat.ru
http://www.mywot.com/en/scorecard/johnsite.ru
http://www.mywot.com/en/scorecard/lagworld.ru
http://www.mywot.com/en/scorecard/manbest.ru
http://www.mywot.com/en/scorecard/suesite.ru
http://www.mywot.com/en/scorecard/superaguide.ru
http://www.mywot.com/en/scorecard/superore.ru
http://www.mywot.com/en/scorecard/theaonline.ru
http://www.mywot.com/en/scorecard/theatticsale.ru
http://www.mywot.com/en/scorecard/theaworld.ru
http://www.mywot.com/en/scorecard/thechocolateweb.ru
http://www.mywot.com/en/scorecard/thelaceweb.ru
http://www.mywot.com/en/scorecard/themobilewindow.ru
http://www.mywot.com/en/scorecard/themobisite.ru
http://www.mywot.com/en/scorecard/usaworldwideweb.ru
http://www.mywot.com/en/scorecard/warbest.ru
http://www.mywot.com/en/scorecard/webdesktopnet.ru
http://www.mywot.com/en/scorecard/webdirectbroker.ru
http://www.mywot.com/en/scorecard/weblessnet.ru
http://www.mywot.com/en/scorecard/webnetenglish.ru
http://www.mywot.com/en/scorecard/webnetlender.ru
http://www.mywot.com/en/scorecard/webnetloans.ru
http://www.mywot.com/en/scorecard/worldsouth.ru
http://www.mywot.com/en/scorecard/worldwebworld.ru
http://www.mywot.com/en/scorecard/xboxliveweb.ru

Links to these sites usually contain deceptive subdomains and directories in an attempt to trick novice Web users and to increase search result rankings (see example URLs by clicking on the Malware Domain List link below).

Sources:
http://twitter.com/websenselabs/status/7449997556
http://www.malwaredomainlist.com/mdl.php?search=dibs%40freemailbox.ru&colsearch=All&quantity=All
http://www.siteadvisor.com/sites/burkewebservices.ru/postid/?p=3454286#post3454286

See also these various other reports for the domains listed above:

http://safeweb.norton.com/report/show?name=bestbob.ru ("red" rating for viruses)
http://safeweb.norton.com/report/show?name=carswebnet.ru ("red" rating for viruses)
http://safeweb.norton.com/report/show?name=guidebat.ru ("red" rating for viruses)
http://safeweb.norton.com/report/show?name=superore.ru ("red" rating for viruses)
http://safeweb.norton.com/report/show?name=theatticsale.ru ("red" rating for viruses)
http://hosts-file.net/?s=theatticsale.ru ("EXP" category: "sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter")
http://safeweb.norton.com/report/show?name=themobilewindow.ru ("red" rating for viruses)
http://safeweb.norton.com/report/show?name=themobisite.ru ("red" rating for viruses)
http://www.siteadvisor.com/sites/weblessnet.ru ("red" rating: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.")
http://safeweb.norton.com/report/show?name=webnetenglish.ru ("red" rating for viruses)
http://www.siteadvisor.com/sites/webnetloans.ru ("red" rating: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.")
http://safeweb.norton.com/report/show?name=worldwebworld.ru ("red" rating for viruses)


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Wednesday, January 6, 2010

Malware and Malicious Site Reports: evamendesochka, showmelovetube, mp3dir, etc.

On New Year's Day I found an old blog post from last June written by Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham (who referenced my "How to Preview Shortened URLs" article—thanks, Gary!).  I was curious to see whether one of the malware URLs mentioned in his blog post was still active more than 6 months later, and sure enough, it was.  Here's what I found out:

showmealltube .com/paqi-video/7.html
used obscured JavaScript code [see the Wepawet analysis] to redirect to
evamendesochka .com/go.php?sid=9
which redirected to
jumbotubes .com/xplaymovie.php?id=40012

(It doesn't redirect to jumbotubes anymore, but I'll get back to that.)  The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:

megaloadfile .com/flash-HQ-plugin.40012.exe

I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it.  I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
File name: flash-HQ-plugin.40012.exe
File size: 111104 bytes
MD5...: 84e8fcd09215fe4555b5532f22f1f96e
SHA1..: 5084a5ecdfd16220809c59ef5a6ca8e692237841
SHA256: 89d2f41d182fad11d71e4312b589c8b8a4ebdaf3384ae01ca9827091e4f55097

4/39 detection rate as of 2010.01.01 20:50:54 (UTC)

16/40 detection rate as of 2010.01.03 10:10:30 (UTC)

21/40 detection rate as of 2010.01.04 07:48:32 (UTC)

33/41 detection rate as of 2010.01.06 08:03:47 (UTC)

Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen, Win32.Packed.Krap.ag.5, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
See the Web of Trust reports for the domains mentioned above:

http://www.mywot.com/en/scorecard/showmealltube.com
http://www.mywot.com/en/scorecard/evamendesochka.com
http://www.mywot.com/en/scorecard/jumbotubes.com
http://www.mywot.com/en/scorecard/megaloadfile.com

This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses.  See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:

http://www.mywot.com/en/scorecard/amhes.com
http://www.mywot.com/en/scorecard/yourgot.com
http://www.mywot.com/en/scorecard/art-port.net
http://www.mywot.com/en/scorecard/artswoodfloors.com
http://www.mywot.com/en/scorecard/chatpartyline.com
http://www.mywot.com/en/scorecard/crystal-arts.net
http://www.mywot.com/en/scorecard/houseartsarea.com
http://www.mywot.com/en/scorecard/interhomesite.com
http://www.mywot.com/en/scorecard/jet-arts-center.com
http://www.mywot.com/en/scorecard/mediaartsgallery.net
http://www.mywot.com/en/scorecard/superartswood.com

There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):

google.com/search?hl=en&safe=off&q=inurl%3A%22xplaymovie.php%22

In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):

http://www.mywot.com/en/scorecard/camcamera.com
http://www.mywot.com/en/scorecard/heswar.com
http://www.mywot.com/en/scorecard/safarel.com
http://www.mywot.com/en/scorecard/soilness.com
http://www.mywot.com/en/scorecard/fgage.com
http://www.mywot.com/en/scorecard/gymandcardio.cn
http://www.mywot.com/en/scorecard/thezasite.com
http://www.mywot.com/en/scorecard/new-search-zone.com
http://www.mywot.com/en/scorecard/myf2you.com

While preparing to write this blog post, I retraced my steps and found that the evamendesochka site now redirects to a different site:

showmelovetube .cn/tube.htm (WARNING: site contains explicit images in addition to malware)

Once again, the site attempts to trick the user into clicking on what appears to be a video, which is actually just a link to a malicious file:

mp3dir .cn/1/install_plugin.exe

See the Web of Trust reports for these additional domains, neither of which seems to be well-known yet:

http://www.mywot.com/en/scorecard/showmelovetube.cn
http://www.mywot.com/en/scorecard/mp3dir.cn

The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
File name: install_plugin.exe
File size: 38400 bytes
MD5...: d9644ba632c0d774dcff57323eeb968d
SHA1..: bce22a0c67da01441478cd327affbf632a9908c4
SHA256: 46a9620c06c4d143a77c36f658d9f2e272960dd4db47ab2fb8f6208822e2d566

3/41 detection rate as of 2010.01.06 06:41:05 (UTC)

Variously identified as: Generic.TRA!d9644ba632c0, Medium Risk Malware Dropper, Trojan-Dropper.Win32.Agent.bkie, W32/Agent.BKI!tr, W32/Malware
This malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.

Stay safe out there!


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.