which redirected to
(It doesn't redirect to jumbotubes anymore, but I'll get back to that.) The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:
I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it. I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
File name: flash-HQ-plugin.40012.exeSee the Web of Trust reports for the domains mentioned above:
File size: 111104 bytes
4/39 detection rate as of 2010.01.01 20:50:54 (UTC)
16/40 detection rate as of 2010.01.03 10:10:30 (UTC)
21/40 detection rate as of 2010.01.04 07:48:32 (UTC)
33/41 detection rate as of 2010.01.06 08:03:47 (UTC)
Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen, Win32.Packed.Krap.ag.5, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses. See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:
There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):
In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):
While preparing to write this blog post, I retraced my steps and found that the evamendesochka site now redirects to a different site:
showmelovetube .cn/tube.htm (WARNING: site contains explicit images in addition to malware)
Once again, the site attempts to trick the user into clicking on what appears to be a video, which is actually just a link to a malicious file:
See the Web of Trust reports for these additional domains, neither of which seems to be well-known yet:
The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
File name: install_plugin.exeThis malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.
File size: 38400 bytes
3/41 detection rate as of 2010.01.06 06:41:05 (UTC)
Variously identified as: Generic.TRA!d9644ba632c0, Medium Risk Malware Dropper, Trojan-Dropper.Win32.Agent.bkie, W32/Agent.BKI!tr, W32/Malware
Stay safe out there!
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.