Tuesday, July 08, 2008

Fake Porn Sites Serving Malware - Part Two



What we've go here is the same malware gang using the very same malicious ISP among the ones you rarely see in any report, continuing to crunch out domain redirectors using the same templates for fake porn sites. And since some of the fake sites are actual redirectors, periodically revisting them leads to more fake codecs and even more actionable intelligence into the nature of their practices, and which are the ISPs proving them with hosting services for several consecutive years.



The main redirector in this campaign popular-adult.com is also responding to :



basic-adult .com

business-adult .com

center-adult .com

comp-adult .com

compadult .com

controladult .com

cruiseporn .com

drive-adult .com

ebony-adult-video .com

ebony-pornmovie .com

ebony-video-xxx .com

engine-adult .com

fat-adult-video .com

fat-pornmovie .com

fat-video-xxx .com

global-adult .com

inc-adult .com

name-adult .com

nameadult .com

other-adult .com

partadult .com

pleasureadult .com

porn-abc .com

porn-contact .com

porn-global .net

porn-go .net

porn-group .net

porn-party .net

porn-play .net

porn-plus .net

porn-power .net

porn-room .net

pornabout .com

porndrive .net

pornhelp .net

pornname .net

pornstar-adult-video .com

pornstar-pornmovie .com

pornstar-video-xxx .com

room-adult .com

scan-adult .com

seek-adult .com

u-adult .com



The secondary redirectors going out of popular-adult.com :





pornname .net/ted/382634557/1/

porn-abc .com/ike/1666520193/1/

pornhelp .net/dense/876421348/1/

porn-play .net/cristina/1970565499/1/

porn-global .net/percival/330780624/1/

porn-contact .com/cisse/854714304/1/

porn-play .net/honora/888715608/1/

pornname .net/deidre/1964468519/1/

pornhelp .net/pip/1977382266/1/

porndrive .net/shelton/767217618/1/

pornhelp .net/mat/354381578/1/

pornabout .com/tobe/1436617289/1/

porn-go .net/samson/7633197/1/

porn-contact .com/teresa/409084583/1/

porn-party .net/basil/1305549820/1/

porn-contact .com/ed/1067772053/1/

porn-contact .com/frish/1287341391/1/

pornname .net/mariah/53967973/1/

pornname .net/jacobus/291129748/1/

porn-plus .net/beverly/2122167311/1/

porn-party .net/lulu/917088357/1/

pornabout .com/boetius/1991451664/1/

cruiseporn .com/padde/1296397392/1/

porn-power .net/arch/334137732/1/

cruiseporn .com/meta/377489795/1/

porn-room .net/lynette/1518855371/1/

porn-play .net/link/1975737157/1/

hporn-global .net/vin/1241430020/1/

porndrive .net/dunk/1245242641/1/

porn-go .net/louisa/1685718172/1/

pornhelp .net/dunk/1859215260/1/

porn-contact .com/celia/1805798677/1/

porn-play .net/anabelle/987641695/1/

porn-room .net/rille/815076192/1/

pornabout.com/hodge/1040019816/1/

porn-abc .com/claes/1130748100/1/

pornabout .com/frederick/1987458246/1/

porn-go .net/fredde/1153431432/1/

porn-party .net/felicity/705720374/1/

porndrive .net/ginne/1183690031/1/

porn-group .net/kimberle/706468800/1/

porn-room .net/helen/565953612/1/

porn-party .net/arche/1387111363/1/

porn-contact .com/kingston/232354071/1/

pornhelp .net/mima/1024064014/1/

porn-power .net/gretchen/152347961/1/

porn-contact .com/ophelia/840853119/1/

porn-play .net/eleanor/88926029/1/

porn-power .net/bella/1712681771/1/

porn-global .net/melchizedek/1823498218/1/

pornabout .com/gabbe/1478560492/1/

porn-party .net/obedience/1540587230/1/

porndrive .net/rod/1177331120/1/

porn-play .net/gee/1314369182/1/

pornname .net/phineas/975226015/1/

porn-global .net/reynold/131075998/1/

porndrive .net/bat/1542809624/1/

porn-global .net/hans/400396810/1/

porn-contact .com/mock/1738069316/1/

porn-plus .net/tryphosia/354085313/1/

porn-room .net/bazaleel/1417267786/1/

porn-contact .com/joyce/353938308/1/

porn-power .net/laine/780004499/1/

pornhelp .net/mille/988856007/1/

cruiseporn .com/dare/258399427/1/

porn-global .net/nat/2039108680/1/

pornname .net/eudora/2132399934/1/

porn-go .net/ana/277211595/1/

pornhelp .net/auge/1990287956/1/

porn-contact .com/danial/1195423348/1/

porn-abc .com/teresa/1787982397/1/

porn-go .net/lawrence/1575543567/1/

porn-go .net/sherre/1066718744/1/

porn-contact .com/jack/657185819/1/

porn-abc .com/manda/216390544/1/

porn-party .net/chuck/1533427157/1/

porndrive .net/lucille/215841052/1/

cruiseporn .com/rodney/1024994863/1/

pornname .net/sheldon/669324635/1/

porn-global .net/janet/1677642355/1/

porn-global .net/basil/635902337/1/

porn-party .net/adela/980553444/1/

cruiseporn .com/charles/2038221862/1/

pornabout .com/sid/644600064/1/

porn-abc .com/eloise/1882289515/1/

porndrive .net/bryant/724023427/1/

porn-party .net/bonne/305120344/1/

porn-play .net/susan/826151266/1/

porn-room .net/sheila/439221958/1/

porn-go .net/valere/1498454342/1/

porn-contact .com/asenath/1036530205/1/

porn-plus .net/marcus/51947065/1/

porn-party .net/bridgit/518065759/1/

porn-plus.net/shawn/1427002427/1/

cruiseporn.com/alicia/1252994155/1/

porn-abc.com/arminda/975985679/1/

porn-party.net/lionel/929052416/1/

porn-contact .com/ande/1755833202/1/

porn-power .net/cyrus/732691977/1/

aboutadultsex .com/heloise/1008109638/1/

adultzoneworld .com/barne/506956701/1/

superporncity .com/roberta/1239682918/1/

pornhelp .net/eurydice/1944564451/1/

theadultpost .com/volodia/543769984/1/

porn-play .net/bird/760635633/1/

coolbestporn .com/bradford/578099145/1/

porn-plus .net/delilah/465854735/1/

porn-power .net/pheney/698426424/1/

porn-party .net/cristina/940229631/1/

porn-party .net/justin/1913395886/1/

porn-contact .com/lotte/1794233444/1/

porn-party .net/nowell/850070721/1/

worldbestadult .com/parthenia/1858633626/1/

funpornsite .com/patience/188018581/1/

adultsexpro .com/isse/1981168802/1/

adultsexpro .com/isabelle/683364151/1/

porndrive .net/erne/906935790/1/

porn-power .net/delpha/178727494/1/

porn-plus .net/chesley/1261676752/1/

porn-plus .net/selina/11889629/1/

porntimeguide .com/arnold/1555784224/1/

aboutadultsex .com/doug/1975246767/1/

porn-global .net/clum/1615653087/1/

funxxxporn .com/kym/739810260/1/

porn-plus .net/roxane/2022633909/1/

worldbestadult .com/vicke/955775101/1/

porn-play .net/jane/1396714471/1/

pornname .net/nicole/1695768032/1/

adultvideodot .com/bela/96070992/1/

porn-room .net/carre/1310194786/1/

adultsexpro .com/azubah/141802741/1/

theadulteye .com/pheney/1077328499/1/

porn-party .net/chick/1522449297/1/

aboutadultsex .com/elbert/1300176621/1/

findadultsex .com/lorre/2057361400/1/

teenporntop .com/aristotle/901956477/1/

coolbestporn .com/bartel/94175118/1/

porn-plus .net/deanne/70540201/1/

coolbestporn .com/appe/1679745028/1/

findadultsex .com/asaph/1439353641/1/

pornxxxfilm .com/tone/904077420/1/

funxxxporn .com/india/476477713/1/

adultvideodot .com/ed/879863981/1/

bestpriceporn .com/babbe/1457040435/1/

superliveporn .com/russell/56570486/1/



More fake porn video sites using similar site templates, and using the same redirection infrastructure :



porntubev20 .com

clearpornurlssite .com

mypornmovies .net

getyourfreemovie .com

tubescollection .com

free-best-porn .com/videos/

pornmovieshare .com

clipslab .com

mybestvideosite .com

avwav .com



The fake codecs download locations in this campaign : 



aviutility .com

18x-adult2008 .com

2008x-adult-2008 .com

best-codec .com

hq-codec .net

mpegsystem .com

bestsoft-ware08 .com



The registrant and hosting provider :



Cernel Inc, Legal Department  (support@cernel.net)

23404 W. Lyons Ave #223, Santa Clarita, Ca,91321

US, Tel. +1.6613470577



Historically, the same gang has been using the same hosting provider for many other fake codecs, which remain parked on the same netblock in a standby mode :



Fire-ticket .com - 64.28.184.162

Fire-codec .com - 64.28.184.163

Light-ticket .com - 64.28.184.163

Braketicket .com -  64.28.184.164

Mooncodec .net - 64.28.184.164

Light-codec .com - 64.28.184.165

Turbo-ticket .com - 64.28.184.165

Space-codec .com - 64.28.184.166

Ultra-ticket .com - 64.28.184.166

Brakecodec .com - 64.28.184.167

Demo-ticket .com - 64.28.184.167

Demoticket .net - 64.28.184.168

Hq-ticket .com - 64.28.184.168

Turbo-codec .com - 64.28.184.168

Hqticket .com - 64.28.184.169

End-ticket .com - 64.28.184.169

Nitro-codec .com - 64.28.184.169

Hqticket .net - 64.28.184.170

Clean-ticket .com - 64.28.184.170

Red-codec .com - 64.28.184.170

Black-codec .com - 64.28.184.171

Viva-ticket .com - 64.28.184.171

Niceticket .net - 64.28.184.171

Endticket .com - 64.28.184.172

Ultra-codec .com - 64.28.184.172

Wot-ticket .com - 64.28.184.172

Mega-codec .net - 64.28.184.173

Storm-ticket .com - 64.28.184.173

Megaz-ticket .com - 64.28.184.174

Vipcodec .net - 64.28.184.174

Democodec .net - 64.28.184.175

Giga-ticket .com - 64.28.184.175

Demo-codec .net - 64.28.184.176

Uin-ticket .com - 64.28.184.176

Hopeticket .com - 64.28.184.177

Hq-codec .net - 64.28.184.177

Best-codec .com - 64.28.184.178

Hope-ticket .com - 64.28.184.178

Endcodec .net - 64.28.184.179

Zero-ticket .com - 64.28.184.179

End-codec .net - 64.28.184.180

Pop-ticket .com - 64.28.184.180

Cleancodec .net - 64.28.184.181

Yupticket .com - 64.28.184.181



The deeper you go the more interesting it gets, malware command and controls located on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and spam hosting - they or their customers if they are to forward the responsibility are definitely multitasking.



Related posts:

Fake Porn Sites Serving Malware

Underground Multitasking in Action

Fake Celebrity Video Sites Serving Malware

Blackhat SEO Redirects to Malware and Rogue Software

Malicious Doorways Redirecting to Malware

A Portfolio of Fake Video Codecs


Posted by Dancho Danchev at Tuesday, July 08, 2008