Monday, June 22, 2009

Fake Twitter, LinkedIn, and ScribD pages lead to Fake AV

Last week we were talking about how Twitter users are encouraged to blindly click on "shortened URLs" which could actually lead to anything under the sun. We were discussing Twitter users and the Iran DDOS at the time, but other security researchers were looking at other Twitter issues, including Dancho Danchev who was discussing Ukrainian Scareware links.

We decided to follow up on one of these malware links to see if it would be an example of Chinese domain names being used by Ukrainians and Russians. (In Saturday's blog article, Spam Crisis in China we suggested that its actually Eastern Europeans who are abusing the cheap domain names in China.)



On the dozens of weblinks posted pretending to be Jennifer Anniston, or Paris Hilton, or Jennifer Love Hewitt on Twitter, LinkedIn, and ScribD, the links all pointed to the same place -- showmealltube.com on the path /paqi-video/7.html

The Danger of Tiny Twitter URLs


After the first several hours of the campaign, the URLs switched to being "shortened URLs" like:

"bit.ly/aSDhl" or something like that - you've seen them. When you only have 140 characters, using a shortened URL makes sense. The problem is that you just really don't know where those links are going - and because of that SEARCHING on Twitter is a security nightmare. As an example, searching on "Transformers 2" tonight, the first link took me to a site telling me how I could get rich on the Internet.



The top link there is trying to drive traffic to her Work at Home scammer site by tagging the current top search terms on Twitter. So whether you search for "Iran" or "IranElection" or "Jon & Kate" or "AT&T" or "Transformers 2", you're going to hit her site.



The second site, which takes you to "http://bit.ly/pmU8P", is also a scam. How do you know where the "bit.ly" site is going to take you? You really don't, you just trust on blind faith and click. In this case it take you to a site called "Free-Gay-Mature-Movie-Clips". Trust me, you don't want a thumbnail of that!

So, typical Twitter advice is "only click on links from people you follow" but with some recent news of Twitter account takeovers, is that safe?

If you wonder about a Tiny URL of any sort, this article form the JoshMeister, Joshua Long, explains how to "preview" where nearly any "tiny URL" is going to take you before you blindly follow it: How to Preview Shortened URLs.

A chain of redirects



So, let's go back to our Jennifer Anniston example and see how bad these links can get. Just clicking the link is going to start a chain reaction of website visits that end with infection. We'll see where the chain leads.

So we start by looking at the whois information for that domain:

showmealltube.com

Registrant Contact:
homme de
samandar hoja zbestgotterflythe@gmail.com
+9989770145698 fax: +9989770145698
yunusobod 13
buxara boxara 21654321
uz

and where it was hosted - which was Layered Technologies (in Texas) on the IP address 64.92.170.135.

That same email address from the WHOIS has been previously associated with domains like "bolapaqir.com", "tafficbots.com", and "myfilehostings.net".

We downloaded the site and looked at the encrypted javascript for the page, which we've removed from our blog because it started triggering AV warnings (I promise it wasn't able to infect you! Really!)

Decoding that takes us to: http://myhealtharea.cn/ with the path in.cgi?12

Domain Name: myhealtharea.cn
ROID: 20090201s10001s04196295-cn
Domain Status: clientTransferProhibited
Registrant Organization: Health Area Inc.
Registrant Name: home
Administrative Email: zbest2008@mail.ru
Sponsoring Registrar: 广东时代互联科技有限公司 (That's Chinese for "now.cn")
Name Server:ns1.myhealtharea.cn
Name Server:ns2.myhealtharea.cn
Registration Date: 2009-02-01 19:34
Expiration Date: 2010-02-01 19:34

So, this domain, registered February 1, 2009, on "now.cn" in China, is still live and still serving malware on a server in Texas four and a half months later. (The IP address 216.32.83.110 on Layered Technologies.)

Some of the other sites on that IP address include:

gozbest.net - (alexeyvas@safe-mail.net)
parisochka.com - (venessahudgenses@gmail.com)
tafficbots.com - (zbestgotterflythe@gmail.com)
tiquilushka.com - (jebobealapeli@gmail.com)

I'm sure you'll recognize the first email, Shestakov Yuriy being one of the primary Eastern European's registering Chinese domains.

So what happens when you visit the "healtharea.cn" site? It forwards to:

showmeall-tube-xx.com on the path /tube.htm

That domain name is hosted in the UK on the IP address 67.228.137.2 where more than 90 other domains, including several registered using another Alexey Vasyliev alias (axeljob@mail.ru) are located. (Alexey is another alias for the alexeyvas above.)

/tube.htm then causes the download of the file:

911pornox.com on the path /_codec/103.exe

That domain is located on the IP address 194.164.4.77 in the Ukraine on Plitochnik's network.

This site also hosts a ton of fake anti-virus download sites:

browser-errors.com -(volodolov@gmail.com)
counteringate.com -(constnw@gmail.com)
downloadfixandlove.com -(constnw@gmail.com)
homepcupdate.com -(admin@wecanall.net)
homewinupdate.com -(admin@wecanall.net)
loved-online-tube.com -(constnw@gmail.com)
macromedla.com -(constnw@gmail.com)
molodiepilotki.com -(yakandeey2008@mail.ru)
online-video-tube.com -(technical-vladislava@gmail.com)
porno-online-tube.com -(constnw@gmail.com)
pornotube911.com -(constnw@gmail.com)
pornotube912.com -(constnw@gmail.com)
pornotubeonline09.com -(constnw@gmail.com)
pornotubeonline10.com -(constnw@gmail.com)
pornproduction.org -(skill1984@yahoo.com)
pornproductions09.com -(constnw@gmail.com)
pornproductions09.net -(constnw@gmail.com)
securebill09.com -(constnw@gmail.com)
tubeonporn09.com -(constnw@gmail.com)
tubeonporn09.net -(constnw@gmail.com)
tubepornolive.com -(constnw@gmail.com)
videoporntrue.com -(constnw@gmail.com)
videoporntrue.net -(constnw@gmail.com)
windownloading.com -(winderboosters@gmail.com)
winpcdef.com -(constnw@gmail.com)
winpcdefender09.com -(constnw@gmail.com)
suckitnow1.net -(constnw@gmail.com)

The Malware at the End of the Trail



The malware that we just downloaded however, the 103.exe file, is largely undetected by the 41 anti-virus programs used at VirusTotal:

That only has 7 of 41 detects on VirusTotal:
File size: 77827 bytes
MD5 : 96590109bb28042dc8cf6e9d92163bc9

VirusTotal Report on 103.exe - 7 of 41 detects

Once the malware was unpacked we found that it was going to cause us to visit several other websites, including:

911pornox.com on the path /installed.php?id=
911pornox.com on the path /videosz.php
downloadfixandlove1.com on the path file.exe

and finally connect to a payment site:

payorderthis.com on the path /pp2/?id=

The "file.exe" from downloadfixandlove1 is very well-known at VirusTotal (32 of 41 detects) but that really doesn't matter since the previous malware already turned off your anti-virus program, and it only had 7 of 41 detects.

File size: 102400 bytes
MD5 : 5f1b9a406fd43de8c006f261feb36816

VirusTotal Report for "file.exe" - 32 of 41 detects.

PayOrderThis.com is the payment processing site for the fake anti-virus program "Win PC Defender".

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.