Tag Archives: dangerous

New list of dangerous websites to avoid

Here is the list of new dangerous domains and subdomains, analyzed in URLVoid during the last month.

In the list below, there is the country code where the domain is hosted, the domain name, the ip address of the server where is hosted the domain and the number of the engines that detected the domain.

  4gameranking.com   (61.139.126.23)   (13 DETECTIONS)
  hulinadobaranublja.com   (89.111.177.27)   (12 DETECTIONS)
  ysbweb.com   (66.152.93.119)   (11 DETECTIONS)
  allthetraffic.co.cc   (91.188.60.4)   (11 DETECTIONS)
  antispyware.com   (75.125.241.58)   (11 DETECTIONS)
  breefingteam.com   (109.196.134.18)   (11 DETECTIONS)
  regsweep.com   (174.123.38.26)   (11 DETECTIONS)
  podgorz.org   (213.180.146.27)   (11 DETECTIONS)
—   ceters.net   (194.8.250.103)   (11 DETECTIONS)
  sng-soft.com   (218.94.11.45)   (11 DETECTIONS)
  qatar-business-guide.net   (94.102.219.71)   (10 DETECTIONS)
  xcrewteam.com   (91.121.2.103)   (10 DETECTIONS)
  onlinegop.ru   (195.5.161.6)   (10 DETECTIONS)
  kindservicezeb.net   (95.78.66.226)   (10 DETECTIONS)
  tamesteel.net   (195.182.57.141)   (10 DETECTIONS)
  hikmesanbukais.com   (76.76.101.70)   (10 DETECTIONS)
  pokeherstars.com   (216.18.239.126)   (10 DETECTIONS)
—   hulejsoops.ru   (193.105.174.108)   (10 DETECTIONS)
  malwareremovalbot.com   (174.123.38.26)   (10 DETECTIONS)
  jjikachjmlc.com   (209.222.6.228)   (10 DETECTIONS)
  streetgetthen.net   (222.87.129.74)   (10 DETECTIONS)
  ootaivilei.ru   (59.53.91.188)   (10 DETECTIONS)
  kldmten.net   (86.106.241.96)   (10 DETECTIONS)
  old-crash.com   (109.196.143.67)   (9 DETECTIONS)
  annintus.com   (123.202.100.192)   (9 DETECTIONS)
  posadaladesmera.es   (84.20.28.11)   (9 DETECTIONS)
  adultxxxblog11.in   (69.64.63.222)   (9 DETECTIONS)
  50checkingyourtraffic.com   (91.188.60.3)   (9 DETECTIONS)
—   megatuz.ru   (193.105.207.105)   (9 DETECTIONS)
  yeeshiedot.ru   (77.78.240.152)   (9 DETECTIONS)
  anti-virus-best.com   (64.74.223.41)   (9 DETECTIONS)
  rapiddownloads.eu   (217.23.12.85)   (9 DETECTIONS)
  zeferesds.com   (122.53.173.144)   (9 DETECTIONS)
  jacquelinesiven.com   (91.213.174.220)   (9 DETECTIONS)
  jocudaidie.ru   (202.78.227.112)   (9 DETECTIONS)
  gayq8rgx.ru   (195.5.161.6)   (9 DETECTIONS)
  winter-smile.com   (88.80.4.19)   (9 DETECTIONS)

Dangerous websites used to spread trojans

Here is a list of 50 dangerous domains used to distribute trojans and rogue security software under false video codecs needed to play non-existents videos displayed in the malicious websites:

super-clear-tube.com   (-)
supertube4all.com   (-)
hard-xxx-tube.com   (-)
boobtubenet.com   (-)
neorealmedia.com   (66.197.129.199)
vorkfreekeys.org   (217.23.9.248)
new-xxxtube.com   (-)
tubehomepage.com   (-)
greatdanetubesite.com   (-)
hot-tube-site.com   (-)
green-media-tube.com   (66.197.160.246)
great-super-tube.com   (-)
best-flash-tube.com   (-)
celebs-tube-2010.com   (-)
greattubefest.com   (-)
real-best-tube.net   (-)
thetubestores.com   (-)
bestgoldtube.com   (66.45.237.165)
red-bull-tube.com   (-)
great-boobs-tube.com   (-)
greatlaketube.com   (-)
artshowmedia.com   (66.96.239.25)
digital-rose-tube.com   (-)
besttube4all.com   (-)
lux-tube2010.com   (-)
red-rokko-tube.com   (-)
mega-scan-pc-new14.net   (88.80.4.19)
entiresafescripts.net   (67.228.219.50)
best-scanner-2010.net   (79.135.152.2)
first-online-scanner.com   (79.135.152.2)
scanner.entiresafescripts.net   (67.228.219.50)
scannerglobal.com   (79.135.152.2)
scannerglobal.net   (79.135.152.2)
nameservice-worldwide.com   (79.135.152.2)
volunteer-scan.com   (79.135.152.2)
scanner2010.com   (79.135.152.2)
super-scanner.org   (79.135.152.2)
best-scanner-2010.org   (79.135.152.2)
first-online-scanner.net   (79.135.152.2)
scanner2010.org   (79.135.152.2)
scanner2010.net   (79.135.152.2)
super-scanner.net   (79.135.152.2)
mega-scan-pc-new14.biz   (88.80.4.19)
rockthetube.com   (-)
home-xxx-tube.com   (-)
enjoy-best-tube.com   (-)
real-new-tube.com   (216.240.140.201)
all-tube-world.com   (-)
mediawebtube.com   (-)
red-diana-tube.com   (-)
home-sun-tube.net   (-)
my-flare-tube.com   (-)

This kind of technique to distribute trojans with fake video “tube” sites is commonly used by pay-per-installs companies and the victim’s PC is generally compromised with a variety of dangerous threats, such as rootkits, stealth trojans and banking trojans such as Zeus Bot. In these two articles are analyzed some recent and active pay-per-install companies:

Pay-Per-Install Analysis – Part One
Pay-Per-Install Analysis – Part Two

In most cases the files that are downloaded from these websites are named install.exe, codec.exe, video.exe, update.exe, player.exe and this is an example Antivirus scan of a file downloaded from one website:

Report date:   2010-07-01 16:31:22 (GMT 1)
File Name:   install.exe
File Size:   56832 bytes
MD5 Hash:   9c3f740b26d1200c80e89d48885e79a4
SHA1 Hash:   3911668f0e9c7b19f27bc215d0abb3e7409a5a65

a-squared   29/06/2010   5.0.0.7   Trojan.Win32.FakeAV!IK
Avast   100628-0   5.0   Win32:Rootkit-gen [Rtk]
AVG   271.1.1/2969   9.0.0.725   SHeur2.CMOJ
Avira AntiVir   7.10.8.213   7.6.0.59   TR/Dldr.FakeAle.kon
BitDefender   01/07/2010   7.0.0.2555   Trojan.Generic.3231804
ClamAV   29/06/2010   0.96.1   Trojan.Downloader-89625
Dr.Web   01/07/2010   5.0   Trojan.Fakealert.12876
F-PROT6   20100630   4.5.1.85   W32/FraudLoad.C!Generic
G-Data   21.442   2.0.7309.847   Trojan-Downloader.Win32.FraudLoad.gmc A
Ikarus T3   29/06/2010   1.1.84.0   Trojan.Win32.FakeAV
Kaspersky   01/07/2010   9.0.0.736   Trojan-Downloader.Win32.FraudLoad.gmc
NOD32   5243   4.0.474 Win32/TrojanDownloader.FakeAlert.AED
Panda   28/06/2010   10.0.3.0   Adware/SecurityEssentials2010
TrendMicro   273   9.120-1004   TROJ_GEN.UAC161X
VBA32   01/07/2010   3.12.12.2   Win32.TrojanDownloader.FakeAlert.AED

The above file was downloaded from a fake system scanner page used to scary the user with false security alerts, from the detection patterns we can clearly see it is a rogue security software (FraudLoad, FakeAlert).

10 new very dangerous websites to avoid

We have added recently in ThreatLog about 10 new very dangerous websites used for spreading trojans and rogue security software as fake video codecs or by exploiting web browsers vulnerabilities:

  super-cool-tube.com   (64.20.37.235)   (1 DETECTIONS)
  real-antivir-4pc.com   (1.1.1.1)   (7 DETECTIONS)
  free-crack-service.com   (1.1.1.1)   (1 DETECTIONS)
  great-tube-fest.com   (1.1.1.1)   (7 DETECTIONS)
  hotcelebsnow.com   (216.240.140.203)   (3 DETECTIONS)
  datamediaworld.com   (1.1.1.1)   (1 DETECTIONS)
  anti-vir-protect.com   (-)   (-)
  kasscukaher.org   (217.23.9.248)   (1 DETECTIONS)
  thegoodfiles.com   (66.197.129.201)   (6 DETECTIONS)
  finestutilitesguide.com   (66.197.129.199)   (1 DETECTIONS)

Dangerous websites analyzed in URLVoid

Here is the list of the most detected domains and subdomains, analyzed in URLVoid during these first two weeks. This list was created with the counting of domains detected by at least 9 engines, and we can see that the most dangerous domain is detected by 12 engines.

In the list below, there is the country code where the domain is hosted, the domain name, the ip address of the server where is hosted the domain and the number of the engines that detected the domain.

  xxxtoolbar.com   (66.152.93.119)   (12 DETECTIONS)
  spywarebot.com   (174.123.38.26)   (11 DETECTIONS)
  install.xxxtoolbar.com   (66.152.93.119)   (11 DETECTIONS)
  aroolohnet.ru   (77.78.240.24)   (11 DETECTIONS)
  russianmomds.ru   (59.53.91.195)   (11 DETECTIONS)
  spyeye100.org   (88.208.252.193)   (10 DETECTIONS)
  kolpredv.com   (77.221.153.141)   (10 DETECTIONS)
  xorg.pl   (94.23.1.180)   (10 DETECTIONS)
  zerovir.com   (85.12.46.203)   (10 DETECTIONS)
  zief.pl   (91.188.59.197)   (10 DETECTIONS)
  d0ma1ns.info   (188.65.73.170)   (10 DETECTIONS)
  nevereversite.ru   (194.140.229.101)   (10 DETECTIONS)
  fast-scanneronline.org   (91.188.60.3)   (10 DETECTIONS)
—   theautocompanyy.info   (194.8.250.103)   (10 DETECTIONS)
  hjwbxhqr.cn   (193.33.115.26)   (9 DETECTIONS)
  ophaeghaev.ru   (97.101.146.174)   (9 DETECTIONS)
  parfaitpournous.com   (200.115.112.222)   (9 DETECTIONS)
—   fnmaw.com   (91.212.127.110)   (9 DETECTIONS)
  cquenceclothing.com   (205.134.252.251)   (9 DETECTIONS)
  charter-x.biz   (91.213.174.107)   (9 DETECTIONS)
  b00tlife.com   (79.135.152.26)   (9 DETECTIONS)
  convart.com   (213.163.89.55)   (9 DETECTIONS)
  threatnuker.com   (72.44.67.7)   (9 DETECTIONS)
  vv00vv.biz   (91.213.174.8)   (9 DETECTIONS)
—   krclear.com   (194.8.250.60)   (9 DETECTIONS)
—   babah20122012.com   (193.105.207.98)   (9 DETECTIONS)
  ramualdo.com   (213.163.89.55)   (9 DETECTIONS)
  chura.pl   (91.188.59.197)   (9 DETECTIONS)
  spywarestop.com   (174.123.38.26)   (9 DETECTIONS)
  vrituyes.in   (91.212.198.157)   (9 DETECTIONS)
  technology-scanner.com   (195.5.161.211)   (9 DETECTIONS)
  adwarealert.com   (174.123.38.26)   (9 DETECTIONS)
  vvmmp.ru   (195.98.50.102)   (9 DETECTIONS)
  directupdate.info   (91.188.60.10)   (9 DETECTIONS)

In these first two weeks were analyzed a total of 43367 unique websites and 12394 websites (28.5 %) were detected by at least 1 engine.