A rogueware distribution gang known for their use of Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and malware (similarly named to softwarefortubeview.4000.exe) from being served at 195.88.80.41 to exclusively 91.212.65.54.
This group appears to be getting quite a bit of traction out of their ongoing FakeAv scheme, in addition to the phishing activities. They started out in late 2008 on 94.247.3.232 with tubeviewer.95.exe, and in mid-January, moved tubeviewersetup..exe to several other addresses:
216.195.40.88
94.247.3.232
91.211.64.131
and since May 6th, they have served softwarefortubeview.40019.exe (among other names) at 91.212.65.54, for which we see multiple domain names registered:
cls-softwares.com
kol-programmers.com
kxc-softwaresportal.com
rol-programms.com
sdfv-programs.com
sgh-topprograms.com
slk-softwareportal.com
slk-softwareportal.com
hex-programmers.com
kor-programms.com
res-supersoft.com
You can see our previous posts regarding their FakeAv malware downloaders, with some of the most popular scareware messages: “you have a security problem” and “security system has detected spyware infection!”.
The redirection to this executable most often comes from blog posts offering free current movies, like “Watch Push Movie Online Free”. You get what you pay for. Notice the video frame at the bottom of the post. Avoid this blog and others like it:
“Anika”, the poster of the phony blog above, also set up a number of other blogs, hoping to capture more curious cats looking for “movie online free”:
Eventually, clicking on the posts’ link sets up the browser for a series of javascript redirections to “watch-for-free.net”, where the phony executable is finally offered to watch the non-existent flick.
For example, a few clicks for a “movie online free” Mr. Bean video link redirects the browser through several links and eventually the fake video iframe coughs up the download prompt for the gang’s malware:
hxxp://watch-mr-bean-movie-online-free.blogspot.com/ –>
hxxp://video-trailers.net/hotnews.php?id=Mr._Bean –>
hxxp://watch-for-free.net/hotnews.php?id=Mr._Bean&was=1 –>
hxxp://premier-tube-site.com/xplay.php?id=40018
Update: an excellent post describing related activity and infrastructure at the GazTranzitStroyInfo site and related russian ISP’s. And the group moves their malware to yet another provider.
