Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 21 May 2009

Interforum LTD - Another Russian blackhat outfit

Interforum LTD are yet another Russian based blackhat outfit, involved in various activities, just one of which is rogue infections via Google poisoning.

This particular one starts at fivespot-atl.com (IP: 64.128.80.103 - constitution.networkredux.net). with a URL that instantly screams "I'm gonna infect you, but I gots some really cool porn for you!";

hxxp://fivespot-atl.com/sew/21a.php?page=freegirlxxxvideos-cn-video

Viewing the source code, shows us several rather interesting links;

http://wewew.googlecode.com/files/nb.js
hxxp://fivespot-atl.com/sew/21a.php?pagefreegirlxxxvideos-cn-video
hxxp://fivespot-atl.com/sew/21a.php?page=hot-forced-crossdressing-stories
hxxp://fivespot-atl.com/sew/21a.php?pagefreegirlxxxvideos-cn-video
hxxp://wewew.googlecode.com/files/tube.gif (VirusTotal results)

I checked the tube.gif file, and the .js/.css files hosted on the GoogleCode URL, but couldn't see anything malicious, so is likely still in development.

So what does the fivespot-atl.com URL actually look like? Well a WordPress blog actually. Though it also includes one of our very familiar looking "Woops, ya need a codec/flass to view this";



Clicking on this "video" results in our being take through su7.us (IP: 88.214.200.145 - Real International Business Corp. - known malware block), and given a fake flash installer, identified as PrivacyCenter by NOD32 (quarantined it when I tried obtaining a copy);

http://www.virustotal.com/analisis/b8f4627d1a3b24f6214d14b7333ddd8f

This file is downloaded from secure-center-antivirus.com;

hxxp://secure-center-antivirus.com/promo1/get.php?aid=1240&vname=flash_player_setup
Hint: promo1 is also valid as promo2/3 and the vname seems to be anything you like - it's just used as the name of the .exe to be downloaded
The secure-center-antivirus.com IP, 91.212.132.12 is shared by over 20 other malicious domains, including;

antispyware-for-all.com
free-antivirus-engine.com
free-porn-xmovies.com
free-tube-video-central.net
free-xtube.com
free-xxx-central.com
hot-porn-tubes.com
my-porn-archive.com
porn-tube-host.com
porn-tubes-world.com
secure-center-antivirus.com
tubez-boobez.com
tubezzz-boobezzz.net
www.antispyware-for-all.com
www.free-porn-xmovies.com
www.free-tube-video-central.net
www.free-xtube.com
www.free-xxx-central.com
www.hot-porn-tubes.com
www.porn-tube-host.com
www.porn-tubes-world.com
www.secure-center-antivirus.com
www.tubez-boobez.com
www.tubezzz-boobezzz.net
www.xtube-xmovie.com
www.youporn-for-free.com
xmovies-downloads.com
xtube-xmovie.com
youporn-for-free.com


Ref:
http://hosts-file.net/pest.asp?show=91.212.132.

Net-block information for 91.212.132.*

inetnum: 91.212.132.0 - 91.212.132.255
netname: Interforum-NET
descr: Interforum LTD
country: RS
org: ORG-IL161-RIPE
admin-c: SS11684-RIPE
tech-c: SS11684-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-INTF
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-INTF
mnt-domains: MNT-INTF
source: RIPE # Filtered

organisation: ORG-IL161-RIPE
org-name: Interforum LTD
org-type: OTHER
address: 152155, Yaroslavskaya dist., Rostov, Lenin st. 34, Russia
e-mail: interforum.co@gmail.com
mnt-ref: MNT-INTF
mnt-by: MNT-INTF
source: RIPE # Filtered

person: Sevrem Sofiev
address: SARAJEVSKA 37 11000 BELGRADE
phone: +381 11 313 2848
nic-hdl: SS11684-RIPE
mnt-by: MNT-INTF
source: RIPE # Filtered

:: Information related to '91.212.132.0/24AS49091'

route: 91.212.132.0/24
descr: INTF route
origin: AS49091
mnt-by: MNT-INTF
source: RIPE # Filtered


This block also appears to be directly related (see parent: 91.212.) to the group I blogged about, that are also involved in the Live.com poisoning (not really surprising) and blogged by Danchev earlier this week;

http://ddanchev.blogspot.com/2009/05/gaztranzitstroyinfo-fake-russian-gas.html

What is more interesting, is that one of the domains reported to me as being hacked, tkdtutor.com (IP: 216.97.233.15 - xerxes.lunarpages.com), also suggests a possible relation to the group(s) responsible for the exploitation of the sites hosted by Lunarpages (and yes, those previously reported, are STILL carrying the malicious code - nice going there LunarPages!).

hxxp://tkdtutor.com/00Site/admin/restaurant-empire-trainers/masturebation-pics.html

Ref:
http://vurl.mysteryfcm.co.uk/?url=626046

No comments: