Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, 23 October 2008

The demise of index1.php PornTube Video Malware

Posted on 10:38 by Unknown
When a criminal finds a good thing, he stays with it. One criminal has been doing exactly that since May 17th. Every day since May 17th, the UAB Spam Data Mine has received spam messages with shocking, offensive titles promising to have videos of offensively described sex acts, which pointed to webpages ending in "index1.php". I started to write today's article saying that it had finally stopped, but unfortunately, a small batch trickled in just before I sat down to write. (Two domains were in that batch - estofadosgrando.com.br, which has already been fixed so that it is not able to deliver the malware - and rasini.it, which is still hosting a fake YouTube page showing a sexual act and attempting to infect visitors with their malware.)

What I can say is that something has happened this week to dramatically impact the volume of this malware-advertising spam. While there are times when the volume was more than 10% of all spam, for the month of October, this campaign averaged about 2% of the total spam volume per day. In May it was only a fraction of 1%, although present each day, in June it crossed 1%, peaking in mid-August where it was 3% of all spam we received.

During the course of this spam campaign, we received spam from more than 30,000 infected computers, which advertised malicious websites on more than 2,260 domains.

Each of those websites was an existing legitimate website, which was taken over by the criminals to allow them to post their malicious software on the site. Once their malware was in place, visitors would be invited to load software to view the movie (viewers with older browsers were infected even if they didn't ask to load the software). That malware in turn launched the installer for the then current fake Anti-Virus 2008 (currently calling itself AntiSpyware 2009).

A quick check of the 2,269 previously used domains shows that 166 of them are still hosting the malware.

Here are the links to the malware, in case someone would like to contact these webmasters and help them get this stuff removed.

We believe that the webmaster's own computer may be compromised. It appears that the criminal logs in to the websites using the administrator's userid and password, creates the directory where he is going to place his virus, and then uploads his files to it.

If you are a webmaster of one of these domains, we would very much like to see your server logs. Please email if you would be willing to share: gar@cis.uab.edu


!!DANGER!! IF YOU ARE NOT A PROFESSIONAL ANTIVIRUS RESEARCHER, THESE LINKS ARE NOT FOR YOU!!!!

193.238.209.17\hot_video.exe
195.145.241.232\pornvideo815uw.exe
198.66.130.103\videopornu376x.exe
1pajda1.borec.cz\video435_porn.exe
66.36.231.223\videporn920ma.exe
69.73.158.27\news_usama_video.exe
74.50.89.140\usama_video.exe
999.gen.tr\pornotube\video1439654.exe
999.gen.tr\pornotube\video54582.exe
999.gen.tr\pornotube\video76566.exe
999.gen.tr\pornotube\video8657786.exe
aberturaslif.com.ar\pornotube\video1439654.exe
aberturaslif.com.ar\pornotube\video54582.exe
aberturaslif.com.ar\pornotube\video76566.exe
aberturaslif.com.ar\pornotube\video8657786.exe
acalon.es\news\video463847.exe
acalon.es\news\video6432434.exe
acalon.es\news\video7656532.exe
acalon.es\news\video9865565.exe
achdepannexpress.com\news_usama_video.exe
addressprint.ru\news_usama_video.exe
agriturismovillavittoria.it\pornivideo03y45i.exe
agroredenoticias.com.br\pornotube\video1439654.exe
agroredenoticias.com.br\pornotube\video54582.exe
agroredenoticias.com.br\pornotube\video76566.exe
agroredenoticias.com.br\pornotube\video8657786.exe
aisal.ru\videoPorn218hdy.exe
aisoftware.ro\tvideo_my_hot.exe
alcaphone.com.br\hot_video.exe
aloidiasimoveis.com.br\pornvideo815uw.exe
alrafah.net\pornotube\video1439654.exe
alrafah.net\pornotube\video54582.exe
alrafah.net\pornotube\video76566.exe
alrafah.net\pornotube\video8657786.exe
amadicarpets.com\news_usama_video.exe
amiram.org.il\shoking_video_news.exe
amphonesinh.info\videporn920ma.exe
andreadelvalle.com\pornvideo815uw.exe
antonianki.ofm.pl\pornotube\video1439654.exe
antonianki.ofm.pl\pornotube\video54582.exe
antonianki.ofm.pl\pornotube\video76566.exe
antonianki.ofm.pl\pornotube\video8657786.exe
antytusk.pl\tvideo_my_hot.exe
asaib.info\video79885.exe
asociace.euweb.cz\news\video463847.exe
asociace.euweb.cz\news\video6432434.exe
asociace.euweb.cz\news\video7656532.exe
asociace.euweb.cz\news\video9865565.exe
atatac.com\hot_video.exe
autocalunnictvojv.sk\pornotube\video1439654.exe
autocalunnictvojv.sk\pornotube\video54582.exe
autocalunnictvojv.sk\pornotube\video76566.exe
autocalunnictvojv.sk\pornotube\video8657786.exe
axonsrl.com\videporn920ma.exe
aziendaruggeri.it\pornwvideo3u96.exe
azoreil-yar.ru\pornnvideo238vf.exe
bakir.bel.tr\video4326xx.exe
bali-hotels-budget.com\my_video_hot.exe
baselangues.emme.fr\video432654xd.exe
bba.kbu.ac.th\pornwvideo3u96.exe
beatnikteacher.com\pornivideo396.exe
benhurantiguidades.com.br\videopornu376x.exe
betosom.com.br\pornnvideo238vf.exe
billoepallina.it\news\video463847.exe
billoepallina.it\news\video6432434.exe
billoepallina.it\news\video7656532.exe
billoepallina.it\news\video9865565.exe
bolats.com\videoPorn218hdy.exe
bubugrupo.com\tvideo_my_hot.exe
buenosairesltd.com\tvideo_my_hot.exe
bux666.com\pornivideo396.exe
cadorgames.xf.cz\news\video463847.exe
cadorgames.xf.cz\news\video6432434.exe
cadorgames.xf.cz\news\video7656532.exe
cadorgames.xf.cz\news\video9865565.exe
calimh.com\news\video463847.exe
calimh.com\news\video6432434.exe
calimh.com\news\video7656532.exe
calimh.com\news\video9865565.exe
castropaes.com.br\pornvideo815uw.exe
cdlourdes.com\news_usama_video.exe
cedacbrasil.com.br\videporn920ma.exe
celinakochen.com.br\videokl_ds4.exe
center-eno.com\vide839pornn.exe
charley.wz.cz\news_usama_video.exe
chennai.needindya.com\pornotube\video1439654.exe
chennai.needindya.com\pornotube\video54582.exe
chennai.needindya.com\pornotube\video76566.exe
chennai.needindya.com\pornotube\video8657786.exe
click-cargo.com\shokinng_video.exe
cobrahk.wz.cz\video25653.exe
collectedthoughts.co.uk\news_usama_video.exe
coralis.ro\video.exe
crazynails.pro24.pl\videoXXX76s3545.exe
crisracebook.com\videoxxx834j.exe
derggi.com\my_video_hot.exe
dipucu.com\pornmvideo6d19.exe
dominuscobrancas.com.br\video_usama.exe
dsl-uebersicht.de\video.exe
dyc-1.celingest.es\new_usama_video.exe
eltubio.com.ar\tvideo_my_hot.exe
emporio-uk.it\my_hot_video.exe
erolantik.com\pornyvideo194vf.exe
escola-allegro.com\videporn920ma.exe
eskapada.info\video.exe
estudiscunit.com\videoQe32.exe
evagino.net\pornivideo03y45i.exe
eyecatchinggear.com\videoPorn218hdy.exe
farfalle.es\news_usama_video.exe
ferrucasdeltrenrojo.com.ar\tvideo_my_hot.exe
fitonit.cl\pornotube\video1439654.exe
fitonit.cl\pornotube\video54582.exe
fitonit.cl\pornotube\video76566.exe
fitonit.cl\pornotube\video8657786.exe
freddyrock.com.ar\videopornu376x.exe
gargamel.com.tr\my_video_hot.exe
geoteam.sk\pornivideo03y45i.exe
giovani.donorione.it\secret_archive.exe
gorodok-band.de\pornotube\video1439654.exe
gorodok-band.de\pornotube\video54582.exe
gorodok-band.de\pornotube\video76566.exe
gorodok-band.de\pornotube\video8657786.exe
grafo.com.tr\video.exe
grupamc.com\vide839pornn.exe
guillaumenery.fr\news_usama_video.exe
hardcore-united.com\pornmvideo6d19.exe
hiperlab.com.br\pornotube\video1439654.exe
hiperlab.com.br\pornotube\video54582.exe
hiperlab.com.br\pornotube\video76566.exe
hiperlab.com.br\pornotube\video8657786.exe
hisaryapi.com.tr\pornovideo729lo.exe
holdispharma.com\videopornu376x.exe
holytrinity.com.ua\videporn920ma.exe
horsetrainingsuperstars.com\news_usama_video.exe
hotel-lebellevue.fr\my_hot_video.exe
hotelxibalba.com\news_usama_video.exe
hsmicro.co.kr\pornotube\video1439654.exe
hsmicro.co.kr\pornotube\video54582.exe
hsmicro.co.kr\pornotube\video76566.exe
hsmicro.co.kr\pornotube\video8657786.exe
i-bournemouth.com\pornotube\video1439654.exe
i-bournemouth.com\pornotube\video54582.exe
i-bournemouth.com\pornotube\video76566.exe
i-bournemouth.com\pornotube\video8657786.exe
imparbrasil.com.br\hot_video.exe
inspirace.ic.cz\video4335gfd3.exe
integratedlabelsoutlet.com\pornnvideo238vf.exe
integratedlabelsusa.com\videoPorn218hdy.exe
ipago.info\my_hotvideo.exe
irisotel.com\my_video_hot.exe
isvo.nl\videopornu376x.exe
ivoireweb.biz\pornwvideo3u96.exe
iyc.org.tr\pornotube\video1439654.exe
iyc.org.tr\pornotube\video54582.exe
iyc.org.tr\pornotube\video76566.exe
iyc.org.tr\pornotube\video8657786.exe
jegupi.com\antivir\AntivirusXP2008Installer.exe
jesusnolar.org.br\pornvideo815uw.exe
jorgelopezdj.com\pornivideo03y45i.exe
josiasgranito.com\install_antivirus.exe
kamenipitarimilas.hr\videopornu376x.exe
korviet.net\pornivideo396.exe
koshkindom.vio.ru\video245fgw22.exe
label-sheets.com\my_hots_video.exe
laccsa.com\pornvideo815uw.exe
ladrigan.com\antivir\AntivirusXP2008Installer.exe
lafabak.com\pornotube\video1439654.exe
lafabak.com\pornotube\video54582.exe
lafabak.com\pornotube\video76566.exe
lafabak.com\pornotube\video8657786.exe
lichter-loh.com\pornnvideo238vf.exe
litecrete.com\my_hots_video.exe
lolo16.com\my_video_hot.exe
loritritel.com\pornotube\video1439654.exe
loritritel.com\pornotube\video54582.exe
loritritel.com\pornotube\video76566.exe
loritritel.com\pornotube\video8657786.exe
magdatur.com.br\video83porn.exe
marklenders.com\pornyvideo194vf.exe
marwad.com\my_hotvideo.exe
maximelaplante.com\video23574fr41.exe
maximumassetshield.com\videoXXX76s3545.exe
mediamatika.wu.cz\pornmvideo6d19.exe
membersvcs.com\antivir\AntivirusXP2008Installer.exe
merchant.directaccess.ro\videosecrt927.exe
miavai.com\my_hots_video.exe
michcom.cl\my_hots_video.exe
millenniummobilya.com\video857porn.exe
mkz.unas.cz\pornotube\video1439654.exe
mkz.unas.cz\pornotube\video54582.exe
mkz.unas.cz\pornotube\video76566.exe
mkz.unas.cz\pornotube\video8657786.exe
mobila.yard.ru\video7346.exe
momoelectronic.com\pornivideo03y45i.exe
motorpost.com\pornivideo03y45i.exe
muranga.es\pornotube\video1439654.exe
muranga.es\pornotube\video54582.exe
muranga.es\pornotube\video76566.exe
muranga.es\pornotube\video8657786.exe
music2000.eu\videosecrt927.exe
musiquote.it\tvideo_my_hot.exe
neocodec.com\free_vid.exe
netmalakay.com\videonjk568.exe
nrss.com.br\video623porn.exe
oarsoaldea.net\tvideo_my_hot.exe
oempricing.com\videoPorn218hdy.exe
omalissi.com.ar\pornivideo03y45i.exe
opcionsp.com\videosecrt927.exe
orf.ru\pornotube\video1439654.exe
orf.ru\pornotube\video54582.exe
orf.ru\pornotube\video76566.exe
orf.ru\pornotube\video8657786.exe
orsoft.es\video23678fe3.exe
otromadrid.dmkhost.net\pornotube\video1439654.exe
otromadrid.dmkhost.net\pornotube\video54582.exe
otromadrid.dmkhost.net\pornotube\video76566.exe
otromadrid.dmkhost.net\pornotube\video8657786.exe
paoloterni.com\videopornu376x.exe
payalweb.cusiteonline.com\videoPorn218hdy.exe
pegasolar.com\videoPorn218hdy.exe
penzion-hradsky.cz\video354rporn.exe
perezmu.com\news_usama_video.exe
pfmsindia.biz\hot_video.exe
pichelariadias.com\my_hot_video.exe
polatenerji.com\my_video_hot.exe
portaledonna.org\news_usama_video.exe
ppctotal.com\my_hotvideo.exe
precision.needindya.com\pornovideo729lo.exe
previarch.com\pornotube\video1439654.exe
previarch.com\pornotube\video54582.exe
previarch.com\pornotube\video76566.exe
previarch.com\pornotube\video8657786.exe
pro-heni.hr\pornotube\video1439654.exe
pro-heni.hr\pornotube\video54582.exe
pro-heni.hr\pornotube\video76566.exe
pro-heni.hr\pornotube\video8657786.exe
quintametalica.com\my_hots_video.exe
regv.net\videosecrt927.exe
remcovandermeide.nl\pornovideo729lo.exe
ringrajeradio.com.ar\video3468ht34.exe
rollarampiberica.com\my_hots_video.exe
rovinj.ch\videopornu376x.exe
rubblemaster.pl\pornnvideo238vf.exe
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ▼  October (11)
      • LaSalle acquisition by Bank of America spreads mal...
      • First Enom Phish, now Network Solutions Phish
      • Caution: Enom Phishing continues
      • Ding Dong The Witch Is Dead! ( ICANN Pulls the Pl...
      • Tip to Phishers: First Build Site, THEN Spam
      • OperaciĆ³n Carrusel sets an example for fighting Ch...
      • The demise of index1.php PornTube Video Malware
      • Ryan Goldstein: Digerati Faces ?Justice?
      • FTC stops AffKing and SanCash, so is Pill Spam Gone?
      • SanCash (Affking) taken down in New Zealand
      • Need help with your debt? Ask the Panamanian Russ...
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile