Monday, June 30, 2008

The Malicious ISPs You Rarely See in Any Report



The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.



The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :



- CHINANET-BACKBONE No.31,Jin-rong Street

- CHINA169-BACKBONE CNCGROUP China169

- CHINANET-SH-AP China Telecom (Group)

- CNCNET-CN China Netcom Corp.

- GOOGLE - Google Inc.

- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.

- SOFTLAYER - SoftLayer Technologies Inc.

- THEPLANET-AS - ThePlanet.com Internet Services, Inc.

- INETWORK-AS IEUROP AS

- CHINANET-IDC-BJ-AP IDC, China



With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.



And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.



Related posts:

The New Media Malware Gang - Part Three

The New Media Malware Gang - Part Two

The New Media Malware Gang

HACKED BY THE RBN!

Rogue RBN Software Pushed Through Blackhat SEO

RBN's Phishing Activities

RBN's Puppets Need Their Master

RBN's Fake Account Suspended Notices

A Diverse Portfolio of Fake Security Software

Go to Sleep, Go to Sleep my Little RBN

Exposing the Russian Business Network

Detecting the Blocking the Russian Business Network

Over 100 Malwares Hosted on a Single RBN IP

RBN's Fake Security Software

The Russian Business Network 

Friday, June 27, 2008

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.



Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com



More details will be posted as soon as they emerge.



UPDATE:



The ICANN has restored access to its domains, and as in every other DNS hijacking the correct records will be updated on a mass scale in 24/48 hours. Some press coverage :



Ankle-biting hackers storm net's overlords, hijack their domains

Hackers hijack critical Internet organization sites

No such thing as a guaranteed safe site

Good Always Comes Out of Bad

Hackers Deface ICANN, IANA Sites

ICANN publicity may have triggered malicious behavior

Turkish Hackers Relive Memories in Photobucket

ICANN Web Site Compromise




Moreover, according to an article at Computerworld, the ICANN weren't aware of the hijack :



"A spokesman for ICANN contacted Friday morning wasn't aware of the hack, and declined comment until he find out more."



Let's hope that they issue a statement on the situation once they know more about how it happened. More comments follow from the ICANN - "Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA" :



"Latest response received by CircleID from ICANN states that the problem took place at their registrar level. A Whois look up shows Register.com as the registrar for the hacked domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 minutes of us notifying them of the problem. The registrar is actively investigating what happened and has promised to report back to us on what happened."



This is the second time in a row when DNS hijacking happens through Register.com compared to Comcast.net's one done through Network Solutions.

Thursday, June 26, 2008

Right Wing Israeli Hackers Deface Hamas's Site

Compared to historical hacktivism tensions between different nations, Israeli and Palestinian hacktivists seem to be most sensitive to "virtual fire exchange" like this one, and consequently, just like in real-life, always look and find for an excuse to engage in a conflict. Israeli hackers penetrate Hamas website :

"Israeli hackers boasted Thursday about breaking into the website of Izz al-Din al-Qassam, Hamas’ military wing, which now displays a white screen and words in Arabic announcing technical difficulties. The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. In a Ynet interview, a group representative who refused to reveal his name said, “We searched for relevant sites with the criteria we look for, whether leftist or anti-Zionist, and looked for loopholes. Our emphasis was always on the al-Qassam site. "The criteria are defined as anti-Zionist or anti-Jewish sites that support or assist in harming Zionism and the existence of Israel as a Zionistic, Jewish state."

The message they left :

"Hacked by XcxooXL and FENiX from Fanat Al Radical Greets: Sn4k3 Contact: Fanat.al.Radical@gmail.com "

These script kiddies using SQL injection vulnerabilities within the affected sites, since they indeed managed to deface several other as well, seem to have also participated in the 2006 cyber conflict sparkled due to the the kidnapping of three soldiers. One of their defacements remains still active (aviv.perffect-x.net/deface.html)

"We will stand against the Islam until the kidnapped soldiers, Gilad Shalit, Eldad Regev and Ehod Goldvaser will be return, We will attack arabic servers and site which support the Islam and protest against the zionism"

What if every script kiddie with a SQL injection scanners goes into politics? It's a mess already.

Related posts:
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists

Wednesday, June 25, 2008

Backdoording Cyber Jihadist Ebooks for Surveillance Purposes

It appears that cyber jihadists are striking back at the academic and intelligence community, by binding their propaganda Ebooks with malware, then distributing them across different forums, thanks to a recently analyzed Ebook entitled "The Al-Qaeda network's timely entrance in Palestine" distributed by the Global Islamic Media Front - hat tip to Warintel.

If it were posted by a newly joined forum member, it would have logically raises the suspicion that it's in fact intelligence agencies spreading malware infected Ebooks around cyber jihadist forums, but it's since this one in particular is being distributed by what looks like a hardcore cyber jihadist, it brings the discussion to a whole new level.

What are they trying to achive? Abuse the already established trust of their readers and cyber jihadist supporters in order to snoop on their Internet activities, or it's the academic and intelligence community they are trying to monitor? In times when botnets can be rented and created on demand, they seem to be more interested in infecting their enemies. Moreover, I suspect that prior to the forum posting, private messages and emails were automatically sent to notify members whose number of posts at the forum greate outpace those of average observers, perhaps the target in such an attack.

The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra. Consider reading a previous post on "Terror on the Internet - Conflict of Interest" as well as through the related posts summarizing all the cyber jihadist research I've conducted so far.

Fake Porn Sites Serving Malware

Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999% uptime. In this very latest example of using malicious doorways redirecting to fake porn sites, consisting of over twenty different domains serving the usual Zlob malware variants, we have a decent abuse of a template for a porn site.

The easy of management of such domain farms and the availability of templates for high trafficked topic segments such as celebrities and pornography, continue contributing to the increasing number of Zlob variants served through fake codecs. Moreover, once set up, the malicious infrastructure starts attracting now just generic search traffic, but also traffic coming from affiliates with whom revenue is shared on the basis of the number of people that downloaded the codec.

In this campaign, the malicious doorway that expands the entire ecosystem is located at search-top.com/in.cgi?5&parameter=drs (66.96.85.113). A redirector that appears to have been operating since 2006, according to this forum posting.

What follows on-the-fly, are all the fake porn sites whose legitimately looking videos attempt to download a Zlob malware variant from a single location - vipcodec.net. Here are all the fake porn sites, and the associated campaigns in this redirection :

watchnenjoy .com/index.php?id=1287&style=white
craziestclips .com/index.php?id=1287&q=
immensevids .com
planetfreepornmovies .com/?t=1&id=1219
poweradult .net/edmund/16551689/1/&id=1219
scan-porn .net/rosalyn/1742941675/1/&id=1219
about-adult .net/emiline/108846601/1/&id=1219
service-porn .com/inde/964842117/1/&id=1219
pleasure-porn .com/elnora/648311952/1/&id=1219
porn-the .net/verge/1734135233/1/&id=1219
porn-pleasure .net/dal/1663381205/1/&id=1219
scan-porn .net/gretchen/515268975/1/&id=1219
abc-adult .com/lillah/1467790484/1/&id=1219
about-adult .net/jenne/434165228/1/&id=1219
look-adult .net/ette/681831796/1/&id=1219
about-adult .net/mime/65729013/1/&id=1219
name-adult .net/alfe/550398461/1/&id=1219
group-adult .net/demerias/867452637/1/&id=1219
useporn .net/rhode/167691118/1/&id=1219
porn-look .net/hephsibah/1254235416/1/&id=1219
scan-porn .net/hence/1684651134/1/&id=1219
abc-adult .com/kendra/371598555/1/&id=1219
name-adult .net/link/1334727639/1/&id=1219
porn-the .net/flo/84660854/1/&id=1219
porn-popular .com/assene/875893411/1/&id=1219
about-adult .net/charlotta/972714195/1/&id=1219
porn-comp .com/orlando/761508522/1/&id=1219
useporn .net/jemima/1405735776/1/&id=1219
about-adult .net/obadiah/263904242/1/&id=1219
group-adult .net/douglas/1110779475/1/&id=1219
porn-look .net/lydde/1844064103/1/&id=1219
pleasure-porn .com/marcia/1627490290/1/&id=1219
service-porn .com/cono/295680123/1/&id=1219
group-adult .net/wes/1733468207/1/&id=1219
abc-adult .com/wib/648341815/1/&id=1219
scan-porn .net/greg/2064937302/1/&id=1219
contact-adult .net/maris/33184936/1/&id=1219
look-adult .net/regina/1273816838/1/&id=1219
abc-adult .com/gwendolyn/869744046/1/&id=1219
service-porn .com/carthaette/1021629112/1/&id=1219
scan-porn .net/ninell/1522355420/1/&id=1219
porn-pleasure .net/waldo/755290223/1/&id=1219
porn-the .net/green/669090607/1/&id=1219
try-adult .com/lula/447057398/1/&id=1219
visit-adult .net/jay/1021153563/1/&id=1219
contact-adult .net/rosa/849017739/1/&id=1219
name-adult .net/hannah/2111126283/1/&id=1219
about-adult .net/robin/2114086747/1/&id=1219
scan-porn .net/geraldine/921262381/1/&id=1219
contact-adult .net/christine/1821111087/1/&id=1219
porn-popular .com/frederica/364993202/1/&id=1219
about-adult .net/kerste/735582753/1/&id=1219
porn-the .net/vine/715820953/1/&id=1219
porn-the .net/newt/1835463160/1/&id=1219
try-adult .com/max/602914725/1/&id=1219
porn-pleasure .net/cille/1420660046/1/&id=1219
poweradult .net/phililpa/178057959/1/&id=1219
name-adult .net/lise/1379126759/1/&id=1219
pleasure-porn .com/marianne/1083617952/1/&id=1219
poweradult .net/emile/1173468576/1/&id=1219
useporn .net/patse/155685496/1/&id=1219
helpporn .net/verna/625840253/1/&id=1219
name-adult .net/aubrey/190928373/1/&id=1219
about-adult .net/alphinias/1345158043/1/&id=1219
useporn .net/rosa/223743611/1/&id=1219
pleasure-porn .com/nerva/1509620489/1/&id=1219
helpporn .net/leet/1619667733/1/&id=1219
about-adult .net/roberta/887345003/1/&id=1219
porn-pleasure .net/tore/1032556395/1/&id=1219
useporn .net/bo/1963737386/1/&id=1219
porn-look .net/karon/136085893/1/&id=1219
poweradult .net/tense/1523522750/1/&id=1219
poweradult .net/hopp/1955964399/1/&id=1219
scan-porn .net/vanne/350822489/1/&id=1219
porn-comp .com/deb/1451360694/1/&id=1219
about-adult .net/moll/1511640690/1/&id=1219
porn-popular .com/obediah/562846948/1/&id=1219
helpporn .net/tamarra/776122096/1/&id=1219
pleasure-porn .com/aristotle/1046422029/1/&id=1219
porn-comp .com/titia/158157566/1/&id=1219
group-adult .net/gay/1297835054/1/&id=1219
porn-look .net/katherine/2136357734/1/&id=1219
helpporn .net/azubah/1197502147/1/&id=1219
porn-comp .com/claes/770105101/1/&id=1219

Associated fake porn sites :

pornbrake .com
sexnitro .net

brakesex .net

pornnitro .net

adultbookings .com

qazsex .com

lightporn .net
delfiporn .net

pornqaz .com

megazporn .com

uinsex .com

xerosex .com
serviceporn .com

aboutadultsex .com

superliveporn .com

bestpriceporn .com

contactporn .net

relatedporn .com

landporno .com

adultsper .com

plus-porn .com

adultstarworld .com

cutadult .com
moviexxxhotel .com

porno-go .com

pornxxxfilm .com

porn-sea .com

review-sex .com

sureadult .com

browseadult .com

network-adult .com

timeadult .com

virtual-sexy .net

funxxxporn .com
loweradult .com

adultfilmsite .com

xxxallvideo .com

custom-sex .com

g
allerypictures .net
usaadultvideo .com

adultmovieplus .com
porn-cruise .com

clubxxxvideo .com

mitadult .com

galleryalbum .net

xxxteenfilm .com

hardcorevideosite .com

helpadult .com

portaladult .net

service-sex .com

driveadult .com

access-porno .com

time-sex .com

plus-adult .com

worldadultvideo .com

key-adult .com
estatesex .com
superadultfriend .com

superporncity .com
zero-porno .com

scanadult .com

adultsexpro .com

adultzoneworld .com

porntimeguide .com

usbestporn .com

adulttow .com

look-porn .com

galleryclick .net
micro-sex .com
estatesex .com

try-sex .com

0bucksforpornmovie .com

gays-video-xxx .com

hackthegrid .com

savetop .info

vidsplanet .net

freexxxhere .com

gestkoeporno .com

tv-adult .info
gays-adult-video .com

matures-video .com

analcekc .com

tabletskard .in

molodiedevki .com

dom-porno .com

pornoaziatki .com

latinosvideo .com

geiporno .com

sweetfreeporn .com


If exposing a huge domains portfolio of currently active redirectors has the potential to ruin someone's vacation, then consider someone's vacation ruined already.

Related posts:
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

Tuesday, June 24, 2008

An Update to Photobucket's DNS Hijacking

With Photobucket’s recently hijacked DNS records by Turkish hacking group, the second high profile DNS hijack for the past two months next to Comcast.net's DNS hijacking in May, domain registrant impersonation attacks seems to fully work, and Tier 1 domain registrars remain susceptible to them.

So far, none of these DNS hijacks served any malware, live exploits, or bogus home pages aiming to steal accounting data. However, the DNS hijacking by itself resulted in a Denial of Service attack on Photobucket, one that would have required a great deal of bandwidth if it were executed in the old fashioned frontal attack approach.

And with Photobucket still labeling the DNS hijacking as a "DNS error", their failure to admit what has actually happened is already sparkling quite a few negative comments across the Web - with a reason. Creating alternate realities when it comes to evidential proof of a hack isn't necessarily state of the art public relations. Photobucket.com's domain registrar, the Register.com comments on the DNS hijacking :

"The Photobucket site was down for a very short time and was restored immediately when we became aware of the issue." Roni Jacobson, general counsel of Register.com, said in a statement on Thursday. "We are currently investigating the source of the problem."

As well as Atspace.com's (Zettahost.com) statement left on their site regarding the DNS hijacking :

"IMPORTANT! Photobucket.com problem read here: Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business! We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals. They have pointed the domain photobucket.com to an account hosted on our systems! We have blocked that and photobucked techs have restored the domain pointing to its original location!ALL account information and pictures on photobucket.com are OK, please have patience! Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us! The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues! We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems! We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts! If you have any questions please do not hesitate to contact us at abuse@zettahost.com! Thanks for your patience and understanding!"

When the affected company acts like nothing's happened, whereas multiple sources continue providing pieces of the puzzle, a statement on the measures taken to prevent that type of hijacking in the future would be better PR than denying the hijacking of the first place and the fact that they could have pointed Photobucket.com to anywhere they wanted to.

Monday, June 23, 2008

Underground Multitasking in Action

How many ways in which a malicious party can abuse its unauthorized access to a host, can you think of? In this example of remotely file included web backdoor (web shell), we have a malicious party that's hosting a web spammer, planning to launch a phishing attack impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as to fake casinos and fake celebrity video sites - all from a single location.

This risk-forwarding process for all the malicious and criminal activities to the owner of the compromised web server is something usual, what's more interesting in this case is the number and diversity of the affiliations this guy has set up in order to monetize the unauthorized access by using all the possible sources of revenues like the ones I pointed on in a previous post regarding increasing monetization of web site defacements.

In fact, he seems to have built enough confidence in the new "hosting provider", that he's even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations hosted locally, point to the following malicious domains which expose all the revenue generating affiliations, and even more malicious doorways :

analytics-google .info/q/urchin.js
209.205.196.16/freehost22/paula2/index.php?id=0271

209.205.196.16/freehost22/paula2/exxe.php?id=0271

crklab .us/index.php

my-page-de .info/in.cgi?2&1400397

tapki .cn/1.html?92465

dificalgot .net/s/in.cgi?2?1121268b0d022308

my-page-de .info?default.cgi

magichotgaming .net

allextra .com/best/go.php?sid=2&tds-parametr1=Taryn+Manning
newextra .com/in.cgi?19&group=allextra

drivemedirect .com/soft.php?aid=0358&d=3&product=XPA
securityscannersite .com/2008/3/freescan.php?aid=880358

Sampe detection rate for the casino adware, a reminder on why you shouldn't play poker on an infected table :

Scanners result : 7/33 (21.22%)
Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18
File size: 466752 bytes
MD5...: b0f70441dde5c2b82ba5388f3d566576
SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d


To sum up - with the overall availability of templates for phishing sites, fake video sites, fake security software, as well as the ongoing traffic management tool's convergence with web malware exploitation kits, the opportunity for a malicious party to participate in different affiliate based scams on revenue sharing basis, increases. Therefore, what looked like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious activities lunched by the same party.

Friday, June 20, 2008

Phishing Campaign Spreading Across Facebook

Phishers have once again indicated their interest in obtaining fresh passwords for social networking sites, by using the already hacked accounts there in order to social engineer the account holder's friends that the phishing links they leave as comments are legitimate. This latest internal phishing campaign circulating across Facebook, is a part of a bigger phishing operation, whose reliance on fast-fluxed domains used in the campaign indicates it's a part of a botnet.

Sample messages spammed across Facebook :

"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)"

"i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)...her profile is"

"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P her profile is"

Sample phishing URLs and fast-flux domains from this campaign :

- facebook.com.profile.id.ep7vu2.749e92q.916ad771.info/facebook/index.php?id=f543li12

- facebook.com.profile.id.mgt9fr5n.mg6qdo.e77c98037.com/facebook/index.php?id=sjv5ppwqb&auth=5086550&cyua=dm2yozoq3y

- facebook.com.profile.id.bvbu38.krpz.dortos.net/facebook/index.php?id=y39zjy4c6&auth=462&cyua=2wr8tckkg8

- facebook.com.profile.id.10g10th3.7q342k8.31dd6db6.com/facebook/index.php?id=b36a7sh7&auth=bnspa&cyua=31064jrv8u2

1d27c9b8fb.com
31dd6db6.com

dortos.net

e77c98037.com

916ad771.info


Related phishing domains sharing fast-flux infrastructure with one another :


paypal.client-confirmation.com

acznc84.com

ccitu938.com

e77c98037.com
ccitu938.com

civvi05.com

client29184146.com

cnzu390.com

d71adb12.com

dd25d624.com

f009c270.com
fzkgoo6.com

lvozx90.com

r8t0p0l4.net

2j1f.com

31c5f18a7f.com

3h8ax3.com

4442852.com

47cx972x.com

72195e6.info

aur83jf82la.com

f80a5b31be7.com
gllofj8532.com

3h8ax3.com

47cx972x.com

aur83jf82la.com

client1874741.com

client1929848.com

client9994414.com

ringbe.com
ringbean.com

ringwe.com

xctiw4.com

They also seem to be in a process of diversifying the social networks to be attacked, having Hi5 in mind - hi5.com.profile.id.yijs.dcrt.1d27c9b8fb.com/hi5/?id=chrislef&auth=rwx&cyua=albumem

Related posts:
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Fake Celebrity Video Sites Serving Malware

With blackhat search engine optimization tactics clearly converging with social engineering, the result of which is the increasing supply of Zlob malware variants served as fake codecs, it's about time we spill some coffee on several campaigns in order to get a better understanding of the way the campaigns function.


These campaigns are also starting to get so sophisticated, that analyzing a single one will expose another massive SQL injection, reveal several blackhat SEO domain farms, let you obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue software if you manage to expose the entire scammy ecosystem through all the redirections put in place to make it harder to get to the bottom of it.

What's important to keep in mind when assessing and shutting down such comprehensive campaigns is that on the majority of occassions the front end domains as well as the secondary ones are all attempting to download the codecs from hardcoded locations. Consequently, you have 50 front end domains and another 50 as secondary redirection points all attempting to download the codecs from 3 download locations. Once again, the malware authors efficiency centered mentality emphasising on the easy of management for the campaign is making it possible to.

Here's are some currently active fake celebrity video sites serving malware including the codec redirectors :

stillnaked.net
funkytube.net

starvid.info
yetmorefun.net

hotnudity.net

alreadynude.com

celebvids.info

sexystar.name

hotserved.net

thestars2008.com

nudde.net
gottabigfuick.com

moviecity.se

gossip-starz.com

tmz-video.com

js0.info
superfakamyvideo.com

hdavidz.com

blog-x.in
tmz-video.com
newhotpeople.com

dirty-gossips.com

flaxxvid.com

videoid.info

realvideofree.com

yetmorefun.net

popvids.info
ihavewetfuckpussy.com
virus-scanonline.com
adultx2008.com

lux-software2008.com

As well as some sample subdomains for traffic acquisition purposes, since all of these have already been crawled by search engines :

jodie.popvids.info
jessica.popvids.info

tila.popvids.info

paris.celebvids.info
vanessa.celebvids.info

britney.nudde.net

paris.nudde.net

kardashian.nudde.net

vanessahudgens.yetmorefun.net

lindsaylohan.yetmorefun.net

britneyspears.yetmorefun.net

parishilton.yetmorefun.net

kardashian.nudde.net


We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com we have an injected redirector - js0.info/?s=16&k=pedophile+sex+stories&c=5 and js0.info itself is a blackhat SEO operation that's aggregating generic search traffic like this :

js0.info/16/5/ragnarok+hentai
js0.info/15/4/antivirus+characteristic

js0.info/16/5/msn+monkey
js0.info/15/4/airplus+internet+security

Once accessed, you get redirected to through two separate redirection campaigns at searchaw.info/sa/in.cgi?16; and hmel.info/stds13/go.php, until you finally get to the codecs.

With blackhat SEO-ers already well developed inventory of topical junk content, and experience in what's popular content and what's not, the entry barriers for malware authors into the traffic acquisition joys of blackhat SEO has never lower.

Wednesday, June 18, 2008

The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Just like you have sophisticated cyber criminals trying to scam wannabe cyber criminals by providing them with backdoored web malware exploitation kits and phishing pages, you have cyber criminals looking for ways to obtain access to the most popular exploitation kits and bankers malware C&Cs by finding vulnerabilities within them.

Apparently, Zeus, the crimeware kit which I discussed in a previous post, is susceptible to a remotely exploitable vulnerability according to a proof of concept code I obtained recently . The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, "Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information".

The implications of this flaw are huge, since, what used to be the practice of hijacking someone's misconfigured botnet a couple of years ago, is today's hijacking of the malware campaigns's command and control interface, which on the majority of occasions is left accessible to everyone - including independent researchers and the security community.

Picture the following situation - right before the Russian Business Network "disappeared", it threatened to sue Spamhaus for blacklisting most of its old infrastructure, what would happen if the security community starts unethically pen-testing the RBN's infrastructure, and remotely exploit misconfigured Zeus C&Cs in order to estimate the number of infected hosts and the type of stolen data in order to communite its findings to the appropriate parties on all fronts? If the RBN starts suing for getting unethically pen-tested, it would automatically claim ownership of, well, the Russian Business Network's infrastructure which you must be pretty familiar with by now.

Moreover, can we even dare to speculate on the existence of monoculture in crimeware software? You bet, and finding vulnerabilities within popular crimeware kits and web malware exploitation kits is only starting to emerge, a situation where the market share of a certain kit would attract the most vulnerability research.

Monday, June 16, 2008

Malicious Doorways Redirecting to Malware

Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus .info and .biz ones for the leading position of hosting and serving malicious content, is a bit of an outdated and reactive approach for protecting against unknown threats. However, a single malicious domain whose live exploits can be easily detected and consequently blocked, is often just a front end to a large domains portfolio whose malicious content may easily pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain often exists in multiple "alternate realities" since a single IP is hosting many other unique and related malware domains.

In this post, I'll assess a misconfigured malicious doorway, that is redirecting to ten different malware sites serving Zlob variants by delivering fake codecs that all the bogus adult sites require. The doorway is misconfigured in the sense of not recording the IP and checking the cookie set, in comparrision to every average web malware exploitation kit out there, which will not serve anything malicious when accessed for a second time since it's hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to the emerging evasive approaches applied to make the analysis of such doorways a bit more time and resources consuming. In a single sentence - there's evidence blackhat SEO-ers are starting to exchange crawling manipulation know-how with malware authors.

In this example we have bestxvids.info (87.118.116.11) which is reditecting to all-index.com/in.cgi?5 (87.118.116.11) a URL that's been actively spammed across forums and guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web application vulnerabilities) which is then redirecting to the following fake codec domains on the fly, and since the redirection script isn't hashing my IP like the majority of well configured ones requiring the use of multiple IPs if we're to expose all the campaigns, it makes the investigation easier :

tubeuniverses.com/teen/index.php?id=1883 - (78.108.177.99)
new-content-s2008.com/freemovie/938/0/ - (72.21.53.218)
teens.0bucksforpornmovie.com/?id=4199 - (64.28.181.28)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hqtube.com/?7014000000 - (88.85.66.116)
supersharebox.com/softw/?aff=5310&saff=0 - (200.63.46.84)
scanner.shredderscan.com/5/?advid=4329 - (92.241.182.13)
myflydirect.com/1/5310/ - (200.63.46.84)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hotvidstube.com/teen/index.php?id=1883 - (78.108.177.99)
2008-adult-2008.com/freemovie/938/0/ - (72.21.53.218)
s-soft08freeware.com/download/502/938/0 - (91.203.70.18)

Where's the "alternate reality"? All of the following fake codec and adult sites serving Zlob variants, with minor exceptions of course, are also responding to the main IP of the redirector - 87.118.116.11 :

carsfoto.ru
cheapest-pharmacy.com

coolsexmovies.net

free-movie-xxx.net
gold-collection.biz

p-o-r-n-0.com

p-o-r-n-0.info

sexakaporn.com

stred.biz

stred.in

tosserhost.com

west-video-xxx.info

wowtofree.info


Shall we also expose the entire scammy ecosystem of Zlob variants, as always, sharing the same netblocks in order to keep it simple? But of course :

porn-youtube08.net
sextubecodec55.com

2008adult2008.com

adultstreamportal2008.com
newcontent-s2008.com

adultxx-18.com

newcontents2008.com

onlinestreamvide.com

2008adultstreamportal2008.com

newcontents2008.com

hot-pornotube2008.com
adult-youtube-8.com

2008adult-s2008.com
2008adultstreamportal2008.com

adult-freetube-8.com

adult18tube2008.com
adultstreamportal2008.com
free-porntube-8.com

gt-funny.com
gt-movies.com

gt-stars.com

hot-sextube.com

new-content-s2008.com

newcontent-s2008.com

newcontents2008.com

onlinestreamvide.com

porno-tube20008.com

pornotube-20008.com

pornotube20008.com

sex-18tube-2008.com

sex-tube-20008.com
sex-tube20008.com

sex18tube2008.com

sexi18tube2008.com

sextube18adult.com

sextube20008.com

streamadultvideo.com

xxxstreamonline.com


The bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits are starting to take into consideration as well.

Friday, June 13, 2008

Monetizing Web Site Defacements

What used to be a harmless web site defacements back in the old school days, is today's ongoing monetization of defaced web sites, a logical development given the consolidation between different underground parties, evidence of which can be seen in the majority of incidents I've been analyzing recently.

The Africa Middle Market Fund' site is the latest example of a web site defacer is abusing the access to the web server to generate and locally host blackhat SEO pages, which when once access only by searching for the keywords and consequently returning 404 if traffic isn't coming from a search engine, redirect to known rogue security software, in this case, the XP antivirus protection (securityscannersite.com) which you must be familiar with if you were following the assessments of the massive IFRAME SEO poisoning attacks that took place during March this year. More about the found :

"The Africa Middle Market Fund is a private capital fund that invests in small and medium sized African businesses who need from $500,000 up to $2 million to grow and succeed to their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that we care equally about financial performance and social benefit. We are for-profit and insist on our investees employing world standards of financial and business management to maximize their chances of success"

Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point to 23search.org, which is an invitation-only affiliate based network for traffic exchange, connecting different malicious parties together :

"What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money!"

The session is then redirected to drivemedirect.com/soft.php?aid=0195&d=3&product=XPA, as well as to drivemedirect.com/soft.php?aid=0263&d=2&product=XPC to ultimately redirect the user to online-xpcleaner.com/2/freescan.php?aid=880263

Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive techniques to make it harder to analyze them. In this particular campaign for instance, only traffic comming from search engines would get the chance to see the SEO page due to the use of document.referrer tags. Here are some sample monitization practices from what I've seen between the lines of recently defaced sites :

- installing web backdoors and reselling the access to phishers, spammers and malware authors who would have full control over the content, and can therefore do whatever they to with the web server

- installing web based spamming tools that later on will be either used directly by the defacers, or access to the tools sold to those interested in using them

- participating in an affiliate based blackhat SEO networks, where revenue coming of the victims who installed the rogue software is shared among the defacer and the affiliate based network, which doesn't really care how and where is all the traffic coming from

- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting them locally in between sending the phishing emails again using the same host

- selling the access by promoting it based on its page rank

Web site defacements in times when traffic suppliers are efficiently coordinating campaigns with traffic seekers, will mature into a tool for providing malicious infrastructure on demand, just like botnets did. Then again, the endless possibilities provided by insecure web applications are already blurring the lines between web site defacements and SQL injections.

Related posts:
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions

Overperforming Turkish Hacktivists
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Thursday, June 12, 2008

Fake YouTube Site Serving Flash Exploits

Originally mentioned by the folks at Sunbelt, this fake YouTube site happens to be a bit more interesting than it seems at the first place :

"Clicking on that link then redirects to a different site, youtube-s, which serves exploits to attempt to infect your system. Then, if your browser hasn’t completely crashed at that point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (hence, possibly even helping to continue the infection, by having users forward the spam above)"

Interesting mostly because it not just attempts to serve a online games password stealer through exploiting the ubiquitous MDAC exploit, but is also serving a flash exploit which when analyzed leads us to a web based C&C of new malware kit. And although I've been aware of its existence for a while now, it's the first time I see it in action.

Upon analyzing youtube-r.com (211.95.79.57) a couple of days ago, it's now returning a 403 forbidden message, however, copies of the malware have already been obtained and analyzed. In between attempting to infect with MDAC at youtube-s.com/load.php?id=912; the flash exploit loads from a9rhiwa.cn/update_files/1.swf, and while this is happening the end user is redirected to the real YouTube site. Some sample detection rates :

Scanners result : 7/32 (21.88%)
TR/Crypt.ULPM.Gen; Mal/EncPk-CO
File size: 8704 bytes
MD5...: cb8611db343067e1fb663ab6ee671114
SHA1..: 4497715e0a365863d6ca41ab12254bf591118ed7

Scanners result : 10/32 (31.25%)
SWF:CVE-2007-0071; Exploit:Win32/APSB08-11.gen!A
File size: 593 bytes
MD5...: 5b6b28d4de3df92f48fbe5e8bd565cda
SHA1..: 3123d357d2080d1ee09ee67203275d51332e3397

The password stealer than connects to the C&C, from where an unknown for the time being number of campaigns are coordinated. What's a useless virtual good such as passwords for MMORPGs for malware gangs aiming to steal Ebanking details through banking malware for instance, is a precious and valuable good for others operating on the other side of the world, where a virtual item is more expensive than access to an Ebanking account.

Wednesday, June 11, 2008

ImageShack Typosquatted to Serve Malware

This is ironic because you have one of the most popular image sharing sites typosquatted, and malware served by copying ImageShack's directory structure, next to using spoofed image files which are the actual executables - "Fake ImageShack site serving malware, links distributed over IM"

"The real ImageShack site is imageshack.us, however, the malware authors are impersonating ImageShack and using imageshaack.org (64.74.125.21), in particular imageshaack.org/img/Picture275.jpg, which is where the malware is. Once the user gets infected with the malware, Backdoor.Win32.SdBot.eiu in this case, the host joins an IRC channel where the botnet masters continue issuing commands for the campaign to spread"

Scanners Results : 14/32 (43.75%)
Backdoor.Win32.SdBot.eiu; a variant of Win32/Injector.AV
File size: 31040 bytes
MD5...: eef33ca4036a5bf709f62098c55fb751
SHA1..: 5e7bdde09c760031c0a29cc0bb2ee2503aff3bf3

The malware then connects to simplythebest.mydyn.net:6532 (81.169.171.145) joining channel #99993333 with password plasma1991, acting as the C&C for this campaign spreading over MSN.

Tuesday, June 10, 2008

Who's Behind the GPcode Ransomware?

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through.

Monday, June 09, 2008

Using Market Forces to Disrupt Botnets

There's never been a shortage of radical approaches for disrupting the most successful botnets, but a surplus of ethics on behalf on researchers as well as a lack of an internationally implemented legislation on who, how and when should be given a mandate to do so.

Basically, country A doesn't really want country B's security researchers messing up with the infected hosts in the country citing cyber espionage fears, despite that the researchers' intentions remain purely the result of their capabilities to make an impact. And self-regulation in times when the average Internet user wants her Web 2.0 experience, and doesn't really feel comfortable trying to understand what the latest SQL injection has to do with, is so unpragmatic that it makes me wonder why is everyone so obsessed in trying to measure how many PCs are malware infected out of a given number. In reality, what should be measured in order to emphasize on the degree of which malware introduced by multiple parties is managing to infect a PC, is with how many different instances of malware is a single PCs infected in a particular moment of time. Now, go perform a forensics audit on a PC which on behalf of the over ten different pieces of malware, is responsible for fraudulent Ebanking transactions, hosting of phishing pages, participating in fast-flux networks that were once serving scams and the next time live exploit URLs, a daily reality for a countless number of forensics experts.

How could market forces be used to disrupt botnets anyway, and how relevant would this approach be in a real-life situation? As every other underground market propostion, buying botnets is no different than buying stolen credit cards, as long as your have multiple propositions to take into consideration, where the price ranges often vary over 100% between the offers. With the increasing supply of botnets for sale, and degree of price differentiation, a certain country can easily buy direct access to request a botnet on demand with infected hosts within the country only and do whatever they want with them - in this case perhaps fortify and patch the host, upon forwarding it to the several online malware scanners to ensure they won't have to rebuy access to it again. Security radicalization like in this case, is an often misinterpreted term which when applied in a free market economy can ruin a lot of, perhaps, broken business models, but will also contribute to the development of new market segments. Hand me the botnet menu, please :

For instance, 1000 bots go for $25 bucks, there are however propositions offering 10,000 bots for $50 bucks, theoretically, as there's always the suspicion that they won't deliver the goods and you'll end up with a situation where scammers scam the scammers, for $1000 you can buy a 100k infected PCs, and for another $100,000 a million infected PCs. So what? Well, establishing a task force to periodically purchase already infected PCs and disinfecting them, of course, in a opt-in fashion on behalf of the end users in order to please the paper tigers, stating that if their government can magically help them fight malware, they're interested, is one of the many ways market forces could be used to directly mess up with the oversupply of botnets for sale.

The question is perhaps not how realistic this is since both the service and the direct contact approach are there, but how important such a perspective is for anything cybercrime at the bottom line, since cybercrime has long stopped increasing, it's basically reaching a stage beyond efficiency and turning into an easily outsourceable process, with the lowest entry barriers to participate in it ever.

Thursday, June 05, 2008

Blackhat SEO Redirects to Malware and Rogue Software

A black SEO farm with built-in redirection to a multitude of sites serving rogue codecs (Zlob malware variants) and fake security software phoning back to UkrTeleGroup Ltd's network - could it get even more interesting? Of course, as the current state of Zlob malware serving tactics can be seperated in two distinct groups, those abusing the "sort of" zero day Flash exploit, as the currently active SQL injection attacks are all taking advantage of it, and those still relying on plain simple redirect to multimedia sites requiring you to install the fake codec.


While tracking down the massive blackhat SEO poisoning campaigns that took place in March, 2008, as well as the countless number of embedded/injected malware campaigns targeting high profile sites that we've been seeing recently, it's becoming increasingly common to come across a repeating malicious pattern. Basically, a domain portfolio of typosquatted domains looking like legitimate codec sites is created, several bogus video, mostly p0rn related sites with no content start acting as a frontend to the codecs, where traffic is driven through blackhat SEO doorways. Moreover, rogue codec sites are increasing because the templates for the p0rn and codec sites are turning into a commodity, just like phishing pages and DIY phishing page generators lowering down the entry barriers into these practices.


Let's assess a sample redirection doorway, a visualization and sample traffic of which you can see in the attached screenshots. At porntubedirect.info we have a fake counter porntubedirect.info/stat/count.php loading the redirection script from 216.240.139.234/sutra/in.cgi?3 which is a javascript serving a different site on-the-fly, courtesy of a well known blackhat SEO campaign tool. The output of this redirection is a new domain serving Zlob variants in the form of fake codecs hosted under the following domains :

antivirus-scanonline.com
indafuckfuck.com
newcontents2008.com
avwav.com
anykindclips.com
dirtyxxxvids.com
clipsmachines.com
thesoft-portal-08.com

Sample detecton rates for the codecs obtained :

Scanners Result: 8/32 (25%)
W32/PolyZlob!tr.dldr; Trojan:Win32/Tibs.gen!lds
File size: 119296 bytes
MD5...: dc5538af557cb4c311cb86d6574400ba
SHA1..: 5cf1602db8c4fdd3c5ac5101e5a6c5daa77f5ff1

Scanners Result: 6/32 (18.75%)
Trojan-Downloader.Win32.FraudLoad.axa; Trojan.Dldr.FraudLoad.axa
File size: 60416 bytes
MD5...: 14938bfe35128687e05f7f8ccbd29c7d
SHA1..: cf651e959fff945c9659321e79ba2788062b721d

Scanners Result: 14/32 (43.75%)
Trojan-Downloader.Win32.Zlob.lps; TrojanDownloader:Win32/Zlob.IB
File size: 18432 bytes
MD5...: 9b3bbcd4549970a92eb1b11c46a451bb
SHA1..: 679508aba4e547935d5e4104a735c754b40de49e

Scanners Result: 18/32 (56.25%)
Trojan-Downloader.Win32.Delf.ilx; TrojanDownloader:Win32/Chengtot.A
File size: 91683 bytes
MD5...: 727e3f353281229128fdb1728d6ef345
SHA1..: 3f9c9000b273e8bf75db322382fbaabf333faf26

Once we've managed to obtain several of the fake codec domains, passive DNS monitoring and using third-party tools helps us expose a huge portfolio of rogue domains such as :

funfuckporn.com
musicpo
rtalfree.com
online-dvdrip.com

widget-porn.com

gt-funny.com

gt-movies.com

gt-stars.com
hot-sextube.com

hot-pornotube-2008.com

hot-pornotube08.com

hotpornotube08.com

porn-youtube-08.org

uriy.org

sextube20008.com

streamxxxvideo.com
xxxgirlsgirls.com
porno-tube20008.com

2008adultstreamportal2008.com

2008adults2008.com

adult18tube2008.com

sextube18adult.com

all-videos-home.com

adultstreamportal2008.com
onlinestreamvide.com

adultvideos4all.com

sex18tube2008.com

adultxx-18.com

mymediasex.com

ladyxxxworld.com
adultstreamportal.com
young-girls-board.com

porn-youtube08.net

adultfreemarket.info
adult-codec08.com

adult-tubecodec08.com

adult-tubecodec2008.com

adulthot-codec08.com

adulttubecodec2008.com

hot-tubecodec20.com

media-tubecodec2008.com

porn-tubecodec20.com

hot-sextubecodec.com

sexporntubecodec14.com

sexporntubecodec32.com

sexporntubecodec77.com

sexporntubecodec98.com

adult-codec08.com

adult-codec2008.com
adult-tubecodec08.com

adult-tubecodec2008.com

adulthot-codec08.com

adulthot-codec20008.com

adulthot-codec2008.com

adulthotcodec032008.com

adulthotcodec072008.com

adulthotcodec092008.com

adulthotcodec29018.com

adulthotcodec29098.com

adulttubecodec2008.com

media-tubecodec2008.com

sexhotcodec09.com

sexhotcodec1.com

sexhotcodec11.com

sexhotcodec12.com

sexhotcodec90.com

thehotcodec21.com

thehotcodecgt.com

thehotcodechq.com

thehotcodeclk.com
thehotcodecrt.com

thehotcodecxx.com
thehotcodeczz.com

What you see is not always what you get online, however, the infrastructure providers in the majority of malware campaigns tend to remain the same.