showmealltube .com/paqi-video/7.html
used obscured JavaScript code [see the Wepawet analysis] to redirect to
evamendesochka .com/go.php?sid=9
which redirected to
jumbotubes .com/xplaymovie.php?id=40012
(It doesn't redirect to jumbotubes anymore, but I'll get back to that.) The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:
megaloadfile .com/flash-HQ-plugin.40012.exe
I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it. I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
File name: flash-HQ-plugin.40012.exeSee the Web of Trust reports for the domains mentioned above:
File size: 111104 bytes
MD5...: 84e8fcd09215fe4555b5532f22f1f96e
SHA1..: 5084a5ecdfd16220809c59ef5a6ca8e692237841
SHA256: 89d2f41d182fad11d71e4312b589c8b8a4ebdaf3384ae01ca9827091e4f55097
4/39 detection rate as of 2010.01.01 20:50:54 (UTC)
16/40 detection rate as of 2010.01.03 10:10:30 (UTC)
21/40 detection rate as of 2010.01.04 07:48:32 (UTC)
33/41 detection rate as of 2010.01.06 08:03:47 (UTC)
Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen, Win32.Packed.Krap.ag.5, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
http://www.mywot.com/en/scorecard/showmealltube.com
http://www.mywot.com/en/scorecard/evamendesochka.com
http://www.mywot.com/en/scorecard/jumbotubes.com
http://www.mywot.com/en/scorecard/megaloadfile.com
This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses. See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:
http://www.mywot.com/en/scorecard/amhes.com
http://www.mywot.com/en/scorecard/yourgot.com
http://www.mywot.com/en/scorecard/art-port.net
http://www.mywot.com/en/scorecard/artswoodfloors.com
http://www.mywot.com/en/scorecard/chatpartyline.com
http://www.mywot.com/en/scorecard/crystal-arts.net
http://www.mywot.com/en/scorecard/houseartsarea.com
http://www.mywot.com/en/scorecard/interhomesite.com
http://www.mywot.com/en/scorecard/jet-arts-center.com
http://www.mywot.com/en/scorecard/mediaartsgallery.net
http://www.mywot.com/en/scorecard/superartswood.com
There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):
google.com/search?hl=en&safe=off&q=inurl%3A%22xplaymovie.php%22
In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):
http://www.mywot.com/en/scorecard/camcamera.com
http://www.mywot.com/en/scorecard/heswar.com
http://www.mywot.com/en/scorecard/safarel.com
http://www.mywot.com/en/scorecard/soilness.com
http://www.mywot.com/en/scorecard/fgage.com
http://www.mywot.com/en/scorecard/gymandcardio.cn
http://www.mywot.com/en/scorecard/thezasite.com
http://www.mywot.com/en/scorecard/new-search-zone.com
http://www.mywot.com/en/scorecard/myf2you.com
While preparing to write this blog post, I retraced my steps and found that the evamendesochka site now redirects to a different site:
showmelovetube .cn/tube.htm (WARNING: site contains explicit images in addition to malware)
Once again, the site attempts to trick the user into clicking on what appears to be a video, which is actually just a link to a malicious file:
mp3dir .cn/1/install_plugin.exe
See the Web of Trust reports for these additional domains, neither of which seems to be well-known yet:
http://www.mywot.com/en/scorecard/showmelovetube.cn
http://www.mywot.com/en/scorecard/mp3dir.cn
The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
File name: install_plugin.exeThis malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.
File size: 38400 bytes
MD5...: d9644ba632c0d774dcff57323eeb968d
SHA1..: bce22a0c67da01441478cd327affbf632a9908c4
SHA256: 46a9620c06c4d143a77c36f658d9f2e272960dd4db47ab2fb8f6208822e2d566
3/41 detection rate as of 2010.01.06 06:41:05 (UTC)
Variously identified as: Generic.TRA!d9644ba632c0, Medium Risk Malware Dropper, Trojan-Dropper.Win32.Agent.bkie, W32/Agent.BKI!tr, W32/Malware
Stay safe out there!
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posts
I think this may have been the link that I clicked on yesterday that gave me the fake windows looking system scan / Trojan.Win32.FakeAV!IK. The browser I am using is firefox. The search term I googled to bump into the malware website is; ram implosion wing linkfilter.net/?s=j;jid=27206
ReplyDeleteI believe that this is my second time running into the same bad URL. Back in November I had the same problem with this nasty malware that mimics Windows security icons and changes my desktop image and I also was researching Ram Implosion Wing.
-Bryan