A Portfolio of Fake Video Codecs

Wednesday, March 19, 2008

A Portfolio of Fake Video Codecs

Shall we expose a huge domains portfolio of fake/rogue video codecs hosting the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means? But of course. As I've pointed out in a previous post, on the tactical warfare front the output of a malicious IFRAME campaign is often neglected from the perspective of lacking the two/three layered IFRAME-ing and redirection that the malicious parties usually implement at the beginning of the campaign. Basically, the over twenty fake video codecs domains are hosting the same binary in the form of a Zlob malware downloader, infrastructure courtesy of the RBN's used ATRIVO (64.28.176.0/20). Currently active domains hosting the" DVDAccess codec", namely a Zlob malware variant :

pornqaz.com

uinsex.com

qazsex.com

sexwhite.net

lightporn.net

xeroporn.com

brakeporn.net

sexclean.net

delfiporn.net

pornfire.net

redcodec.net

democodec.com

delficodec.com

turbocodec.net

gamecodec.com

blackcodec.net

xerocodec.com

ixcodec.net

codecdemo.com

ixcodec.com

citycodec.com

codecthe.com

codecnitro.com

codecbest.com

codecspace.com

popcodec.net

uincodec.com

xhcodec.com

stormcodec.net

codecmega.com

whitecodec.com

jetcodec.com

endcodec.com
abccodec.com

codecred.net

cleancodec.com

herocodec.com

nicecodec.com

DVDaccess's pitch : "DVDaccess is a multimedia software that allowa access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. DVDaccess will highly increase quality of video files you play. DVDaccess enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds."

Scanner results : 39% Scanner (14/36) found malware!

Trojan-Downloader.Win32.Zlob.eie

File Size : 74823 byte

MD5 : 30965fdbd893990dd24abda2285d9edc

SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the output of the many other malware campaigns to come, which will inevitable be ending up to these very same domains serving a single Zlob variant. Just like the recent massive IFRAME attacks, where in between the live exploit URLs and rogue security software, the end users were redirected to DVDaccess as well. In fact, the massive IFRAME attack campaign was, and continues to redirect to one of the domains in the portfolio I've just provided you with.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, March 19, 2008

A Portfolio of Fake Video Codecs

No comments:

Post a Comment