Monday, December 27, 2010

Fake Codec Malware Sites: tv-world-online, etc.

I recently viewed an old YouTube video produced by SophosLabs back in January 2010 (nearly a year ago). I took note of the domain where this malware was found, and out of curiosity I checked to see whether the site was still online. To my surprise, it was. Here are some of my findings:

Every page of the site (tv-world-online .net) was linking to fake codec malware in very deceptive ways. The domain hosting the malware changed at least once or twice per day, and the malware hosted on these servers was modified to have a different MD5 checksum about as often. In each case the file name was "install_ActiveX.45171.exe". I collected as many samples as possible, submitting each variant to major antivirus companies that were not yet detecting it, and rating each page on Web of Trust to help protect other WOT users (WOT is a browser add-on for major browsers that helps protect users from potentially harmful sites, and it uses a community rating system that is usually very reliable).

Variants of this fake codec malware are known by many different names. The last sample I obtained is detected under the following names (currently 35/42 detection rate according to VirusTotal):
FakeAV.GPF, Generic.dx!vgs, Heuristic.BehavesLike.Win32.Downloader.H, Mal/EncPk-NS, MalCrypt.Indus!, Malware-Cryptor.Limpopo, Packed.Katusha.ase, Packed.Win32.Katusha, Packed.Win32.Katusha.o, Packed/Win32.Katusha.gen, Suspicious file, TR/Shakat.O.333, Trojan.Agent/Gen-Fraudera, Trojan.DL.Renos!al/DlyrO68M, Trojan.DownLoad2.19095, Trojan.FakeAV, Trojan.FakeAV!gen29, Trojan.Generic.KD.90926, Trojan.Katusha.o, Trojan.Win32.Generic.52530514, Trojan/W32.Agent.212992.JV, TrojanDownloader:Win32/Renos.MJ, VirTool.Win32.Obfuscator.hg!b1 (v), Virus, W32/Codecpack.700D!tr, W32/Obfuscated.M, W32/Renos.A!Generic, Win-Trojan/Agent.212992.VL, Win32:MalOb-EA, Win32/Renos.D!generic, Win32/TrojanDownloader.FakeAlert.BBT
Here are WOT reports for several affiliated domains:
Although the tv-world-online domain does not currently appear to be online, it appears that the domain has not actually been shut down, so it may become active again eventually.

On a different subject, I want to let my readers know that I recently updated a couple pages on this site: the Bindaas spam site listing and the page on how to manually preview shortened URLs.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.