Dangerous websites used to spread trojans
Here is a list of 50 dangerous domains used to distribute trojans and rogue security software under false video codecs needed to play non-existents videos displayed in the malicious websites:
super-clear-tube.com (-)
supertube4all.com (-)
hard-xxx-tube.com (-)
boobtubenet.com (-)
neorealmedia.com (66.197.129.199)
vorkfreekeys.org (217.23.9.248)
new-xxxtube.com (-)
tubehomepage.com (-)
greatdanetubesite.com (-)
hot-tube-site.com (-)
green-media-tube.com (66.197.160.246)
great-super-tube.com (-)
best-flash-tube.com (-)
celebs-tube-2010.com (-)
greattubefest.com (-)
real-best-tube.net (-)
thetubestores.com (-)
bestgoldtube.com (66.45.237.165)
red-bull-tube.com (-)
great-boobs-tube.com (-)
greatlaketube.com (-)
artshowmedia.com (66.96.239.25)
digital-rose-tube.com (-)
besttube4all.com (-)
lux-tube2010.com (-)
red-rokko-tube.com (-)
mega-scan-pc-new14.net (88.80.4.19)
entiresafescripts.net (67.228.219.50)
best-scanner-2010.net (79.135.152.2)
first-online-scanner.com (79.135.152.2)
scanner.entiresafescripts.net (67.228.219.50)
scannerglobal.com (79.135.152.2)
scannerglobal.net (79.135.152.2)
nameservice-worldwide.com (79.135.152.2)
volunteer-scan.com (79.135.152.2)
scanner2010.com (79.135.152.2)
super-scanner.org (79.135.152.2)
best-scanner-2010.org (79.135.152.2)
first-online-scanner.net (79.135.152.2)
scanner2010.org (79.135.152.2)
scanner2010.net (79.135.152.2)
super-scanner.net (79.135.152.2)
mega-scan-pc-new14.biz (88.80.4.19)
rockthetube.com (-)
home-xxx-tube.com (-)
enjoy-best-tube.com (-)
real-new-tube.com (216.240.140.201)
all-tube-world.com (-)
mediawebtube.com (-)
red-diana-tube.com (-)
home-sun-tube.net (-)
my-flare-tube.com (-)
This kind of technique to distribute trojans with fake video “tube” sites is commonly used by pay-per-installs companies and the victim’s PC is generally compromised with a variety of dangerous threats, such as rootkits, stealth trojans and banking trojans such as Zeus Bot. In these two articles are analyzed some recent and active pay-per-install companies:
Pay-Per-Install Analysis – Part One
Pay-Per-Install Analysis – Part Two
In most cases the files that are downloaded from these websites are named install.exe, codec.exe, video.exe, update.exe, player.exe and this is an example Antivirus scan of a file downloaded from one website:
Report date: 2010-07-01 16:31:22 (GMT 1)
File Name: install.exe
File Size: 56832 bytes
MD5 Hash: 9c3f740b26d1200c80e89d48885e79a4
SHA1 Hash: 3911668f0e9c7b19f27bc215d0abb3e7409a5a65a-squared 29/06/2010 5.0.0.7 Trojan.Win32.FakeAV!IK
Avast 100628-0 5.0 Win32:Rootkit-gen [Rtk]
AVG 271.1.1/2969 9.0.0.725 SHeur2.CMOJ
Avira AntiVir 7.10.8.213 7.6.0.59 TR/Dldr.FakeAle.kon
BitDefender 01/07/2010 7.0.0.2555 Trojan.Generic.3231804
ClamAV 29/06/2010 0.96.1 Trojan.Downloader-89625
Dr.Web 01/07/2010 5.0 Trojan.Fakealert.12876
F-PROT6 20100630 4.5.1.85 W32/FraudLoad.C!Generic
G-Data 21.442 2.0.7309.847 Trojan-Downloader.Win32.FraudLoad.gmc A
Ikarus T3 29/06/2010 1.1.84.0 Trojan.Win32.FakeAV
Kaspersky 01/07/2010 9.0.0.736 Trojan-Downloader.Win32.FraudLoad.gmc
NOD32 5243 4.0.474 Win32/TrojanDownloader.FakeAlert.AED
Panda 28/06/2010 10.0.3.0 Adware/SecurityEssentials2010
TrendMicro 273 9.120-1004 TROJ_GEN.UAC161X
VBA32 01/07/2010 3.12.12.2 Win32.TrojanDownloader.FakeAlert.AED
The above file was downloaded from a fake system scanner page used to scary the user with false security alerts, from the detection patterns we can clearly see it is a rogue security software (FraudLoad, FakeAlert).
