Author Topic: fake porntubes  (Read 12737 times)

0 Members and 1 Guest are viewing this topic.

December 14, 2008, 01:36:12 am
Read 12737 times

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
searching for some samples i've found these:
Code: [Select]
www.chiensderace.com/cgi-bin/awredir/awredir.pl?url=nebeda.com/p/go.php?sid=15&parameter=google+query
www.loftv.com/include/click.php3?idemission=5496&url=HTTP://oplanete.com/s/go.php?sid=2&parameter=google+query

That redirects to:
Code: [Select]
http://alltubesbestcollection.com/teens/xmovie.php?id=1518 (contains explicit images)
that links to:
Code: [Select]
http://codecdownload.3d-softwareportal.com/exclusivemovie.0.exe

novirusthanks report:

a-squared - Nothing found!
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan.Win32.Agent.auqs   A
IkarusT3 - Nothing found!
Kaspersky - Trojan.Win32.Agent.auqs
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

Scan report generated by 
NoVirusThanks.org



also a search in google shows these results:
Code: [Select]
holoholo.org/cgi_bin/redirect.pl?url=HTTP://nebeda.com/p/go.php?sid=13&parameter=Hana+P.+clips
www.stuartmorris.id.au/cgi-bin/awredir.pl?url=nebeda.com/p/go.php?sid=15&parameter=Pantie+Ass.Com
www.gotravelinsurance.co.uk/affiliate?tduid=777&url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Arap+Porn
login2.ezproxy.slv.vic.gov.au/login?url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Milf+Fuck.Com
www.gloofi.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Teen+Ligerie
shop.d-nexus.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Girl+Hairy+Hot+Teen
www.fairplaygames.com/redirect.asp?URL=HTTP://nebeda.com/p/go.php?sid=15&parameter=Ass+And+Thighs+Com
shoponline.com.sg/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Friend+Fucking+Husband+Picture+Sexy+Wife
www.realgoods.com/linkshare.do?siteID=1&url=HTTP://nebeda.com/p/go.php?sid=15&parameter=Teen+Finger+In+Ass
acom.wbf.com/Acom/showHTML.asp?URL=HTTP://nebeda.com/p/go.php?sid=7&parameter=Viv+Lesbian
www.atlantaphotos.com/redirect.php?action=url&goto=www.nebeda.com/p/go.php?sid=15&parameter=Sexy+Condoleezza+Rice+Pic
www.materiel.be/logclic/click.php?id=108&url=HTTP://oplanete.com/s/go.php?sid=9&parameter=Hentai.Com
www.businesstraveller.com/liveobjects/adsystem/go.plm?id=202&url=HTTP://oplanete.com/s/go.php?sid=2&parameter=Trixie+Teen.Com
www.dmjobs.co.uk/jobboard/scripts/vbs/adredirect.asp?b=5787&u=HTTP://oplanete.com/s/go.php?sid=2&parameter=Free+Adult+Erotic+Sex+Story.Com
darwin.eeb.uconn.edu/cgi-bin/awredir.pl?url=oplanete.com/s/go.php?sid=10&parameter=Ebony.Com
www.streetperformance.com/redirect.php?compid=777&banner=REG&catid=&url=oplanete.com/s/go.php?sid=10&parameter=Kerissa+Fare+porn
darwin.eeb.uconn.edu/cgi-bin/awredir.pl?url=sexylesm.ru/go.php?sid=4%26parameter=porn+pl+streem
www.chiensderace.com/cgi-bin/awredir/awredir.pl?url=livehomesearch.com/full/intra-uterine-insemination.html
www.stuartmorris.id.au/cgi-bin/awredir.pl?url=999666999.com/tds.php/719/slave-sucking-shemales-cock

regards
ocean

December 14, 2008, 01:07:36 pm
Reply #1

sowhat-x

  • Guest
Thanks ocean,
these will be added in the list during next update...

December 14, 2008, 04:28:47 pm
Reply #2

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
i've got some more ;D

Code: [Select]
http://www.prodestonline.it
we have some javascripts that force the user to download video.exe or to install the activex (it seems that those are removed from the server)

that piece of javascript calls for main.php:
Code: [Select]
<body onbeforeunload="window.open('main.php');" onunload="window.open('main.php');" onclose="window.open('main.php');"  id="mainbody">
main.php is recognised by the antivirus as JS/Zhelatin.zb
decoding with Malzilla antivirus find signature of HTML/Silly.Gen

It seems that Malzilla doesn't decode automatically the second obfuscated JS, probably the shellcode is that:
Code: [Select]
43434343eb0f5b33c966b980018033ef43e2faeb05e8ecffffff7f8b4edfefefef64afe3649ff342649fe76e03efebefef6403b98761a1e1030711efefef66aaebb987771165e1071fefefef66aae7b987ca5f102d070defefef66aae3b98700210f8f073befefef66aaffb9872e960a570729efefef66aafbaf6fd72c9a1566aaf706e8eeefefb1669acb64aaeb85eeb664baf7b90764efefefbf87d9f5c09f0778efefef66aaf3642a6c2fbf66aacf8710efefefbf64aafb85edb664baf7078eefefefecaacf28efb391c18a28afeb978aefef109acf64aae385eeb664baf707afefefef85e8b7ecaacbdc34bcbc109acfbfbc64aaf385eab664baf707ccefefef85ef109acf64aae785edb664baf707ffefefef851064aaff85eeb664baf707efefefefaeb4bdec0eec0eec0eec0e6c03ebb5bc64350d18bd100fba64036492e764b2e3b9649cd3649bf197ec1cb96499cfec1cdc26a6ae42ec2cb9dc19e051ffd51d9be72e21e2ec1daf041ed411b19a0ab5640464b5cbec328964e3a464b5f3ec3264eb64ec2ab1b22de7ef071b111010babda3a2a0a1ef
probably is some kind of IE/ActiveX exploit i'll look into it later and post some others.

regards ocean

December 14, 2008, 05:02:16 pm
Reply #3

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
Code: [Select]
http://free-pornnow.com/
follow a link
Code: [Select]
http://free-pornnow.com/out.php?t=1.0.24.11&url=aHR0cDovL2ZpZWxkb25saW5lLm5ldC9pbi5jZ2k/MTU=&link=today&p=100
Code: [Select]
http://fieldonline.net/in.cgi?15
http://hot-fuck-tube-site.net/get.php?id=20582&p=38
http://just-loved-tube.com/xfreeporn.php?id=20582

following one of the links present in the page we can find some malwares or get redirected to other pages
Code: [Select]
http://download-all4free.com/FullBSCodecz.0.exe

December 14, 2008, 05:21:40 pm
Reply #4

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
Code: [Select]
http://imp-porntube.net/pornmovies.php?id=255following one of the links we get to a page with some obfuscated JS and a link to a malware
Code: [Select]
http://codecdownload.extracoolfiles.com/exclusivemovie.0.exe

deobfuscating the JS we get an embedded object movie.mpg
Code: [Select]
document.getElementById('playMov').innerHTML = '<embed src="/movie.mpg" width="480" height="400" autostart="true" type="movie/mpg"></embed>'
regards ocean

December 15, 2008, 11:13:04 am
Reply #5

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
exclusivemovie.0.exe:

Detections

a-squared - Trojan.Win32.Agent!IK
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan.Win32.Agent.auqs   A
IkarusT3 - Trojan.Win32.Agent
Kaspersky - Trojan.Win32.Agent.auqs
McAfee - Generic Downloader.x trojan  
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

FullSBZCodecz.0.exe


Detections

a-squared - Trojan-Dropper.Agent!IK
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Trojan-Downloader.Win32.Agent.aufz   A
IkarusT3 - Trojan-Dropper.Agent
Kaspersky - Trojan-Downloader.Win32.Agent.aufz
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - a variant of Win32/Kryptik.CU trojan 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!


December 17, 2008, 11:02:44 am
Reply #6

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
update :)

Code: [Select]
http://tubezzz.com/xxx/
File Info

Report generated: 17.12.2008 at 11.54.45 (GMT 1)
Filename: teens_fuck_orgy13.mpeg._xe
File size: 1520 KB
MD5 Hash: 1BE319D57F215B3A0951AD6EECD06B89
SHA1 Hash: 5A318F2E304FE23BF78C1DBAEA23402DAEA1303E
Packer detected: Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
Self-Extract Archive: Nothing found
Binder Detector:  Nothing found
Detection rate: 7 on 24

Detections

a-squared - Generic.Win32.Malware!IK
Avira AntiVir - Nothing found!
Avast - Win32:Trojan-gen {Other} (0)
AVG - :\$JF\xscan.exe Potentially harmful program Fake_AntiSpyware.AQT
BitDefender - Trojan.FakeAlert.ARC
ClamAV - Nothing found!
Comodo - Nothing found! 
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Nothing found!
IkarusT3 - Generic.Win32.Malware
Kaspersky - not-a-virus:FraudTool.Win32.XLGuarder.aw
McAfee - Nothing found! 
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found! 
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Mal/FakeAV-Q
TrendMicro - Nothing found!
VBA32 - Nothing found!   
Virus Buster - Nothing found!

Scan report generated by 
NoVirusThanks.org


Code: [Select]
porntuber.net/watch.php?v=3595067207
Code: [Select]
porntuber.net/download.php redirects to
Code: [Select]
http://xgguy.com/download/wmv9codec.exewich returns a 404 page.

December 17, 2008, 01:12:09 pm
Reply #7

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
Code: [Select]
http://www.moms-galls.com/following the links the mpeg video links redirects to
Code: [Select]
slyvip.com/v/c.phpwich, at the moment returns a 404.

Code: [Select]
http://porntubenet.com/index.php
Code: [Select]
http://porntubenet.com/download.php redirects to
Code: [Select]
http://porntubenet.com/download/ActiveXVideoCodec.exe

December 19, 2008, 09:25:13 am
Reply #8

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
update:

temporarily removed

in the chain there are pages that links back to the page that contains the malware, cialis spam pages and others.
i haven't had time to follow every link and parse the data, probably there are a lot more to find out.

images on some of these websites are hosted on
Code: [Select]
http://awmcity.com
regards ocean.

December 20, 2008, 12:04:36 am
Reply #9

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Be very wary if checking some of those as their domain names give a very big hint of C/P
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

December 20, 2008, 09:18:04 am
Reply #10

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
you mean carding/phishing?


here's another link chain

Code: [Select]
http://allpornsites.info/gallery1.htm
http://www.qulclipz.com/st/st.php?cat=5509&script=1&url=http%3A%2F%2Fwww.vidzcollector.com%2Fm4%2Findex.php%3Fid%3D1956%26n%3Dmainstream%26a%3Dchids82%26v%3D44888.955555556%26preview%3Dhttp%253A%252F%252Fsimg-2.qulclipz.com%252Fst%252Fthumbs%252F037%252F6563413748.jpg&p=100
http://www.vidzcollector.com/m4/index.php?id=1956&n=mainstream&a=chids82&v=44888.955555556&preview=http%3A%2F%2Fsimg-2.qulclipz.com%2Fst%2Fthumbs%2F037%2F6563413748.jpg
http://www.vidzwares.com/download.php?id=1956

the last link is the "setup.exe" fake video codec.

December 20, 2008, 04:26:15 pm
Reply #11

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Not quite ...... CP = Child Pornography
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

December 20, 2008, 05:40:43 pm
Reply #12

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
maybe it's better if i temporarily remove the links.

howewer checked a few of them from where i parsed the links and doesn't seem.

regards
ocean

May 27, 2009, 11:43:48 pm
Reply #13

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
other fake porntubes :)


Code: [Select]
masevi.net/main.html
xmoviedownloads.com/tube.htm
badwetgirls.com/blah_video.html
thesexybaby.com/bored_video.html


http://signanda.net/download/7953764e4d413d3dfcf24f1a20090516/flash_player_v11.exe

http://anubis.iseclab.org/?action=result&task_id=117a3fd6756b193d4bd9ec5167c8b4e1c

http://www.virustotal.com/en/analisis/d3c4a084fed90e6942c2da016ca0a17807fd748a8bcba19b31179e458dba1ff4-1243479143

Result: 3/40 (7.50%)

Sunbelt    3.2.1858.2    2009.05.28    Trojan.NSIS.DnsChanger (v)

regards ocean