Wednesday, March 19, 2008

A Portfolio of Fake Video Codecs

Shall we expose a huge domains portfolio of fake/rogue video codecs hosting the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means? But of course. As I've pointed out in a previous post, on the tactical warfare front the output of a malicious IFRAME campaign is often neglected from the perspective of lacking the two/three layered IFRAME-ing and redirection that the malicious parties usually implement at the beginning of the campaign. Basically, the over twenty fake video codecs domains are hosting the same binary in the form of a Zlob malware downloader, infrastructure courtesy of the RBN's used ATRIVO (64.28.176.0/20). Currently active domains hosting the" DVDAccess codec", namely a Zlob malware variant :


pornqaz.com
uinsex.com
qazsex.com
sexwhite.net
lightporn.net
xeroporn.com
brakeporn.net
sexclean.net
delfiporn.net
pornfire.net
redcodec.net
democodec.com
delficodec.com
turbocodec.net
gamecodec.com
blackcodec.net
xerocodec.com
ixcodec.net
codecdemo.com
ixcodec.com
citycodec.com
codecthe.com
codecnitro.com
codecbest.com
codecspace.com
popcodec.net
uincodec.com
xhcodec.com
stormcodec.net
codecmega.com
whitecodec.com
jetcodec.com
endcodec.com
abccodec.com
codecred.net
cleancodec.com
herocodec.com
nicecodec.com

DVDaccess's pitch : "DVDaccess is a multimedia software that allowa access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. DVDaccess will highly increase quality of video files you play. DVDaccess enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds."

Scanner results
: 39% Scanner (14/36) found malware!
File Size : 74823 byte
MD5 : 30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the output of the many other malware campaigns to come, which will inevitable be ending up to these very same domains serving a single Zlob variant. Just like the recent massive IFRAME attacks, where in between the live exploit URLs and rogue security software, the end users were redirected to DVDaccess as well. In fact, the massive IFRAME attack campaign was, and continues to redirect to one of the domains in the portfolio I've just provided you with.