Dangerous websites used to spread trojans

Here is a list of 50 dangerous domains used to distribute trojans and rogue security software under false video codecs needed to play non-existents videos displayed in the malicious websites:

super-clear-tube.com   (-)
supertube4all.com   (-)
hard-xxx-tube.com   (-)
boobtubenet.com   (-)
neorealmedia.com   (66.197.129.199)
vorkfreekeys.org   (217.23.9.248)
new-xxxtube.com   (-)
tubehomepage.com   (-)
greatdanetubesite.com   (-)
hot-tube-site.com   (-)
green-media-tube.com   (66.197.160.246)
great-super-tube.com   (-)
best-flash-tube.com   (-)
celebs-tube-2010.com   (-)
greattubefest.com   (-)
real-best-tube.net   (-)
thetubestores.com   (-)
bestgoldtube.com   (66.45.237.165)
red-bull-tube.com   (-)
great-boobs-tube.com   (-)
greatlaketube.com   (-)
artshowmedia.com   (66.96.239.25)
digital-rose-tube.com   (-)
besttube4all.com   (-)
lux-tube2010.com   (-)
red-rokko-tube.com   (-)
mega-scan-pc-new14.net   (88.80.4.19)
entiresafescripts.net   (67.228.219.50)
best-scanner-2010.net   (79.135.152.2)
first-online-scanner.com   (79.135.152.2)
scanner.entiresafescripts.net   (67.228.219.50)
scannerglobal.com   (79.135.152.2)
scannerglobal.net   (79.135.152.2)
nameservice-worldwide.com   (79.135.152.2)
volunteer-scan.com   (79.135.152.2)
scanner2010.com   (79.135.152.2)
super-scanner.org   (79.135.152.2)
best-scanner-2010.org   (79.135.152.2)
first-online-scanner.net   (79.135.152.2)
scanner2010.org   (79.135.152.2)
scanner2010.net   (79.135.152.2)
super-scanner.net   (79.135.152.2)
mega-scan-pc-new14.biz   (88.80.4.19)
rockthetube.com   (-)
home-xxx-tube.com   (-)
enjoy-best-tube.com   (-)
real-new-tube.com   (216.240.140.201)
all-tube-world.com   (-)
mediawebtube.com   (-)
red-diana-tube.com   (-)
home-sun-tube.net   (-)
my-flare-tube.com   (-)

This kind of technique to distribute trojans with fake video “tube” sites is commonly used by pay-per-installs companies and the victim’s PC is generally compromised with a variety of dangerous threats, such as rootkits, stealth trojans and banking trojans such as Zeus Bot. In these two articles are analyzed some recent and active pay-per-install companies:

Pay-Per-Install Analysis – Part One
Pay-Per-Install Analysis – Part Two

In most cases the files that are downloaded from these websites are named install.exe, codec.exe, video.exe, update.exe, player.exe and this is an example Antivirus scan of a file downloaded from one website:

Report date:   2010-07-01 16:31:22 (GMT 1)
File Name:   install.exe
File Size:   56832 bytes
MD5 Hash:   9c3f740b26d1200c80e89d48885e79a4
SHA1 Hash:   3911668f0e9c7b19f27bc215d0abb3e7409a5a65

a-squared   29/06/2010   5.0.0.7   Trojan.Win32.FakeAV!IK
Avast   100628-0   5.0   Win32:Rootkit-gen [Rtk]
AVG   271.1.1/2969   9.0.0.725   SHeur2.CMOJ
Avira AntiVir   7.10.8.213   7.6.0.59   TR/Dldr.FakeAle.kon
BitDefender   01/07/2010   7.0.0.2555   Trojan.Generic.3231804
ClamAV   29/06/2010   0.96.1   Trojan.Downloader-89625
Dr.Web   01/07/2010   5.0   Trojan.Fakealert.12876
F-PROT6   20100630   4.5.1.85   W32/FraudLoad.C!Generic
G-Data   21.442   2.0.7309.847   Trojan-Downloader.Win32.FraudLoad.gmc A
Ikarus T3   29/06/2010   1.1.84.0   Trojan.Win32.FakeAV
Kaspersky   01/07/2010   9.0.0.736   Trojan-Downloader.Win32.FraudLoad.gmc
NOD32   5243   4.0.474 Win32/TrojanDownloader.FakeAlert.AED
Panda   28/06/2010   10.0.3.0   Adware/SecurityEssentials2010
TrendMicro   273   9.120-1004   TROJ_GEN.UAC161X
VBA32   01/07/2010   3.12.12.2   Win32.TrojanDownloader.FakeAlert.AED

The above file was downloaded from a fake system scanner page used to scary the user with false security alerts, from the detection patterns we can clearly see it is a rogue security software (FraudLoad, FakeAlert).