MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

3.2.09

Mass propagation of malware in fake codecs

On another occasion he commented that both the creators and disseminators of malicious code continue to use old and other familiar techniques of deception as is the spread of malware through fakecodecs, supposedly necessary for viewing videos fake.

This proven technique of deception (visual social engineering) is being actively used and massively to the spread of Trojan downloader. The name of the Trojans may be:

TubeViewer.ver.6.exe (MD5: 1E66BEFC96CBC87FE58A8167A287ADA9)
TubePlayer.v.9.exe (MD5: 88427AF3D5DD4F641589AA0D2D40DB59)
tubeviewerfile.exe (MD5: 64C66D519FFFD889221436E09721F403)
tubeviewerfile.exe (MD5: 1F7D97194AD503A6B355DF1CEFBF001F0)
tubeviewerfile.exe (MD5: 5F25C00280E0F9075E47DCB06E908B15)
tubeviewerfile.exe (MD5: B120D58ACC1CE584E07C5F648A45AD01)
tubeviewerfile.exe (MD5: 429E897FAE57E5EA19C81B39D3745CC6)
TestCodec.v.3.127.exe (MD5: 1E2404CBAFB1E617AB0B0D3DB3EF46E3)
FlashPlayer.v.exe (MD5: CD612747CF868DF8647D47DE23AED47F)


In this case, all the url's from where you download the malware are pornographic sites, a highly exploited resource to try to infect the systems of users who use such sites.

digg .com / celebrity / Namitha_Nude_Video
broken-tv .com / broadcast /? d = Namitha_nude
tube-nonstop-sluts videos-.com / xplaymovie. php? id = 20,081
2009-tube-collection .com / XPlay. Php? Id = 20,467
tube-sex-xxx-tube .com / xplays. php? id = 1802
tube-sex-xxx-tube .com / XPlay. php? id = 1760
tube-sex-xxx-tube.com/xplay.php? id = 1819
streamingonlinetube .com / xplaymovie. php? id = 385
streamingonlinetube .com / xplaymovie. php? id = 334
celebnudestars .net / index. php? q = Gay% 20Group% 20Sex% 20Video
celebnudestars. net
xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best
xxxporn-tube. com
brakeextra. com
uporntube-07. com
porntubenew. com
tubeporn08. com
tubeporn09. com
porn-tube09. com


Other topics heavily exploited is the download warez, crack, keygen, etc.., Where far downloading the program desired by the user, which is a malware download. In fact, most of the addresses set forth on this post sharing the same IP address with other registered domains which refer to the software download but still without content such as:

extra operations. com
player-codec. biz

quicktimeupdate. com

shortdownload. com

soft-free-updates. com

spacekeys. net

TurboPlay. net

keyengage. net

mega-player. net

xp-extra. com


So maybe soon we learn of a new wave of spreading malware through these domains.


Related information:
Deception techniques that do not go out of style

Jorge Mieres

0 comentarios:

Post a Comment