We decided to follow up on one of these malware links to see if it would be an example of Chinese domain names being used by Ukrainians and Russians. (In Saturday's blog article, Spam Crisis in China we suggested that its actually Eastern Europeans who are abusing the cheap domain names in China.)
On the dozens of weblinks posted pretending to be Jennifer Anniston, or Paris Hilton, or Jennifer Love Hewitt on Twitter, LinkedIn, and ScribD, the links all pointed to the same place -- showmealltube.com on the path /paqi-video/7.html
The Danger of Tiny Twitter URLs
After the first several hours of the campaign, the URLs switched to being "shortened URLs" like:
"bit.ly/aSDhl" or something like that - you've seen them. When you only have 140 characters, using a shortened URL makes sense. The problem is that you just really don't know where those links are going - and because of that SEARCHING on Twitter is a security nightmare. As an example, searching on "Transformers 2" tonight, the first link took me to a site telling me how I could get rich on the Internet.
The top link there is trying to drive traffic to her Work at Home scammer site by tagging the current top search terms on Twitter. So whether you search for "Iran" or "IranElection" or "Jon & Kate" or "AT&T" or "Transformers 2", you're going to hit her site.
The second site, which takes you to "http://bit.ly/pmU8P", is also a scam. How do you know where the "bit.ly" site is going to take you? You really don't, you just trust on blind faith and click. In this case it take you to a site called "Free-Gay-Mature-Movie-Clips". Trust me, you don't want a thumbnail of that!
So, typical Twitter advice is "only click on links from people you follow" but with some recent news of Twitter account takeovers, is that safe?
If you wonder about a Tiny URL of any sort, this article form the JoshMeister, Joshua Long, explains how to "preview" where nearly any "tiny URL" is going to take you before you blindly follow it: How to Preview Shortened URLs.
A chain of redirects
So, let's go back to our Jennifer Anniston example and see how bad these links can get. Just clicking the link is going to start a chain reaction of website visits that end with infection. We'll see where the chain leads.
So we start by looking at the whois information for that domain:
samandar hoja firstname.lastname@example.org
+9989770145698 fax: +9989770145698
buxara boxara 21654321
and where it was hosted - which was Layered Technologies (in Texas) on the IP address 188.8.131.52.
That same email address from the WHOIS has been previously associated with domains like "bolapaqir.com", "tafficbots.com", and "myfilehostings.net".
Decoding that takes us to: http://myhealtharea.cn/ with the path in.cgi?12
Domain Name: myhealtharea.cn
Domain Status: clientTransferProhibited
Registrant Organization: Health Area Inc.
Registrant Name: home
Administrative Email: email@example.com
Sponsoring Registrar: 广东时代互联科技有限公司 (That's Chinese for "now.cn")
Registration Date: 2009-02-01 19:34
Expiration Date: 2010-02-01 19:34
So, this domain, registered February 1, 2009, on "now.cn" in China, is still live and still serving malware on a server in Texas four and a half months later. (The IP address 184.108.40.206 on Layered Technologies.)
Some of the other sites on that IP address include:
gozbest.net - (firstname.lastname@example.org)
parisochka.com - (email@example.com)
tafficbots.com - (firstname.lastname@example.org)
tiquilushka.com - (email@example.com)
I'm sure you'll recognize the first email, Shestakov Yuriy being one of the primary Eastern European's registering Chinese domains.
So what happens when you visit the "healtharea.cn" site? It forwards to:
showmeall-tube-xx.com on the path /tube.htm
That domain name is hosted in the UK on the IP address 220.127.116.11 where more than 90 other domains, including several registered using another Alexey Vasyliev alias (firstname.lastname@example.org) are located. (Alexey is another alias for the alexeyvas above.)
/tube.htm then causes the download of the file:
911pornox.com on the path /_codec/103.exe
That domain is located on the IP address 18.104.22.168 in the Ukraine on Plitochnik's network.
This site also hosts a ton of fake anti-virus download sites:
The Malware at the End of the Trail
The malware that we just downloaded however, the 103.exe file, is largely undetected by the 41 anti-virus programs used at VirusTotal:
That only has 7 of 41 detects on VirusTotal:
File size: 77827 bytes
MD5 : 96590109bb28042dc8cf6e9d92163bc9
VirusTotal Report on 103.exe - 7 of 41 detects
Once the malware was unpacked we found that it was going to cause us to visit several other websites, including:
911pornox.com on the path /installed.php?id=
911pornox.com on the path /videosz.php
downloadfixandlove1.com on the path file.exe
and finally connect to a payment site:
payorderthis.com on the path /pp2/?id=
The "file.exe" from downloadfixandlove1 is very well-known at VirusTotal (32 of 41 detects) but that really doesn't matter since the previous malware already turned off your anti-virus program, and it only had 7 of 41 detects.
File size: 102400 bytes
MD5 : 5f1b9a406fd43de8c006f261feb36816
VirusTotal Report for "file.exe" - 32 of 41 detects.
PayOrderThis.com is the payment processing site for the fake anti-virus program "Win PC Defender".