Wednesday, February 11, 2009

Fake Codec Serving Domains from Digg.com's Comment Spam Attack

The following assessment details all the redirectors, fake codec serving domains, as well as related fake security software domains used in the Digg.com' comment spam attack.



The complete list of the domain redirectors used in the comment spam attack:
worldnews-video .com - 459,000 bogus comments
youtube-top-video .com - 98,000 bogus comments
new-videos .info - 92,500 bogus comments
film-man .com - 50,700 bogus comments
last-sex-news .com - 26, 000 bogus comments
video-news .cn - 25, 500 bogus comments
last-porno-news .com - 21,500 bogus comments
fresh-video-news .com - 10,900 bogus comments
broken-tv .com - 10,000 bogus comments
video-trailers .net - 8,370 bogus comments
exclusive-videos .net - 7860 bogus comments
funkytube .net - 6,170 bogus comments
shocking-stars .net - 2,600 bogus comments
cinemacafe .tv - 1560 bogus comments
watch-video .cn - 3000 bogus comments
vidstream .cn - 397 bogus comments
divgg .com - 174 bogus comments
golden-portal .us - 3040 bogus comments
tubedirects .net - 290 bogus comments
funkytube .net - 6,480 bogus comments
watchepisodes .cn - 331 bogus comments

video-sensation .com - 1,500 bogus comments
bestlive-tv .cn - 216 bogus comments
svtube .cn - 222 bogus comments
onlyhotvideos .com - 413 bogus comments
celebnudestars .net - 326 bogus comments
usatvshows .us - 41 bogus comments
vidstream .cn - 398 bogus comments
divgg .com - 171 bogus comments
tubedirects .net - 285 bogus comments
yuotnbe .com - 370 bogus comments
omeia .info - 769 bogus comments
video.stumbulepon .com - 669 bogus comments
shocking-stars .net - 2,650 bogus comments
sowonder .net - 3000 bogus comments
sex-tapes-celebs .com - 2,210 bogus comments
video-sensation .com - 1,690 bogus comments

Currently active download locations for the fake codecs, and the rogue security software:
vivaextra .com
tube-xxx-tv2009 .com
onlinestreamsofware .com
demoextra .com
best-tube-2008 .net
tubeportalsoftware2008 .com
tubesoftwareviewer2008 .com
exefilesdownload2009 .com
tubesoftwareviewer2009 .com
uporntube-07 .com
tubeporn08 .com
uporn-tube .com
uporntube2009 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
porntubenew .com
ultra-extra .com

xp-police .com
xp-police-av .com
xp-police-2009 .com
antiviralscanner14 .com


Detection rates for the codecs/rogue security software:
viewtubesoftware.40020.exe
Result: 8/39 (20.51%)
File size: 71680 bytes
MD5...: ef26250b946a63112659c94eed016e0d
SHA1..: 902fd30cd4a7465c9f5271971604d273ed74a60c

viewtubesoftware.400201.exe
Result: 7/39 (17.95%)
File size: 62464 bytes
MD5...: 1d4c3a6d2cc8c645652f7090636e5a4b
SHA1..: ccc1994a521d9e8a053a345b9d9cc28a63415845

Install.exe
Result: 5/39 (12.82%)
File size: 77830 bytes
MD5...: 64557f21c50b6c063cc96ba661bcd27c
SHA1..: 5a765a92de07af756c96c83139be8ddace117ef1

install1.exe
Result: 4/39 (10.26%)
File size: 73222 bytes
MD5...: 890bf32b34b7abab7aa7ea049215c429
SHA1..: 8c311a8b6096914f758bcaf82aca465bcc885110

The first comments including links to these domains have been posted at Digg.com on January, 2008 - over an year ago.