Friday, June 20, 2008

Fake Celebrity Video Sites Serving Malware

With blackhat search engine optimization tactics clearly converging with social engineering, the result of which is the increasing supply of Zlob malware variants served as fake codecs, it's about time we spill some coffee on several campaigns in order to get a better understanding of the way the campaigns function.

These campaigns are also starting to get so sophisticated, that analyzing a single one will expose another massive SQL injection, reveal several blackhat SEO domain farms, let you obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue software if you manage to expose the entire scammy ecosystem through all the redirections put in place to make it harder to get to the bottom of it.

What's important to keep in mind when assessing and shutting down such comprehensive campaigns is that on the majority of occassions the front end domains as well as the secondary ones are all attempting to download the codecs from hardcoded locations. Consequently, you have 50 front end domains and another 50 as secondary redirection points all attempting to download the codecs from 3 download locations. Once again, the malware authors efficiency centered mentality emphasising on the easy of management for the campaign is making it possible to.

Here's are some currently active fake celebrity video sites serving malware including the codec redirectors :

stillnaked.net
funkytube.net

starvid.info
yetmorefun.net

hotnudity.net

alreadynude.com

celebvids.info

sexystar.name

hotserved.net

thestars2008.com

nudde.net
gottabigfuick.com

moviecity.se

gossip-starz.com

tmz-video.com

js0.info
superfakamyvideo.com

hdavidz.com

blog-x.in
tmz-video.com
newhotpeople.com

dirty-gossips.com

flaxxvid.com

videoid.info

realvideofree.com

yetmorefun.net

popvids.info
ihavewetfuckpussy.com
virus-scanonline.com
adultx2008.com

lux-software2008.com

As well as some sample subdomains for traffic acquisition purposes, since all of these have already been crawled by search engines :

jodie.popvids.info
jessica.popvids.info

tila.popvids.info

paris.celebvids.info
vanessa.celebvids.info

britney.nudde.net

paris.nudde.net

kardashian.nudde.net

vanessahudgens.yetmorefun.net

lindsaylohan.yetmorefun.net

britneyspears.yetmorefun.net

parishilton.yetmorefun.net

kardashian.nudde.net


We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com we have an injected redirector - js0.info/?s=16&k=pedophile+sex+stories&c=5 and js0.info itself is a blackhat SEO operation that's aggregating generic search traffic like this :

js0.info/16/5/ragnarok+hentai
js0.info/15/4/antivirus+characteristic

js0.info/16/5/msn+monkey
js0.info/15/4/airplus+internet+security

Once accessed, you get redirected to through two separate redirection campaigns at searchaw.info/sa/in.cgi?16; and hmel.info/stds13/go.php, until you finally get to the codecs.

With blackhat SEO-ers already well developed inventory of topical junk content, and experience in what's popular content and what's not, the entry barriers for malware authors into the traffic acquisition joys of blackhat SEO has never lower.

No comments:

Post a Comment