Some folks saw this ABC News story yesterday, and sent me surprised questions that I hadn't blogged about it, so, here is the after-the-fact blog about a situation that is still continuing.
(click for ABC News story)
The story actually goes much bigger than that. Sure there are lots of people who have "erin andrews peephole photos" links on Twitter, and almost all of them are pointing to a virus, as we mentioned in the ABC News story.
As we've discussed several times in the past, this is another case of shortened URLs taking you to unknown pages, and Twitter training us all to blindly follow the link. Many of the links we've checked out all go to the same place. So, for example:
all point to the same place . . .
Attempting to play the video there actually redirects you to a malware page where you will grab a link to the website lyy-exe.com and download a piece of malware called onlinemovies.40014.exe.
When we first scanned the malware yesterday morning, VirusTotal indicated that it was detected by four of 41 anti-virus products. By last night that was up to 10 of 41, and this morning when we rescanned (July 21st) the detection rate was XXXXXXXXXX
The rest of the story comes out as we look at the other posts made by some of the people who were posting links to the malware. We decided to grab a few that have posted in the past two hours, and see what else they were posting. Here's our sample group:
estefanikime, corinnenamlo, kaylahjofa, haydenluyan, sandynifa, stacilaqu, margaritloomm, beverlykineo, jazminekayam, stasianika, patsykasex, giselleheni, nadinebeeca, sidneydame, margaretfaxe, marniexuqu, unanilu, shanicebibee, trudypoohm.
It looks like the malware may actually be creating its own Twitter accounts, as these accounts for the most part have no followers, and are following no one. They seem to be depending on the fact that people actually "search" twitter, and their results will be found among the other results. This really points out the fact that Twitter needs to do something more than just their current LIFO (Last In First Out) search. If you search for a term, and I am the last person to post something with that term, you will see MY post, even if nobody follows me at all, even if I am an account that was created thirty minutes ago. Wouldn't it make more sense to see what the people are saying who are at least being followed by SOMEONE?
estefanikime has 0 followers and follows no one. Her recent news stories point to the sites:
legalmusic4all.com (an illegal music site hosted on NetDirekt in Germany)
fusionstories.com (an entertainment blog hosted on NetDirekt in Germany)
and several shortened URLs which use the subject lines:
watch erin andrews video => thecooltube.com
spinnerette => thecooltube.com
2009 espy award winners => thecooltube.com
tour de france stage 16 => thecooltube.com
t.o. show => thecooltube.com
blue spark => thecooltube.com
bachelorette men tell all => thecooltube.com
corinnenamlo has 4 followers but is following no one.
Her shortened URLs use the subject lines:
tokyo rose => thecooltube.com
charleston high school mississippi => thecooltube.com
chuck yeager => thecooltube.com
throw it in the bag remix lyrics => thecooltube.com
jesse holley => thecooltube.com
inhaling duster => thecooltube.com
neil armstrong death => thecooltube.com
chris brown apology => thecooltube.com
Wait! I believe I'm detecting a pattern!
Other links being used included:
arturo gatti funeral
aaron brink wife vanessa
tna victory road 2009 results
nomura s jellyfish
verizon wireless amphitheater irvine
lee westwood golfer
labor pains lindsay lohan
All point to the malware site, "thecooltube.com".
When ABC News called yesterday, I was on my way to teach a class for the University of Alabama at Birmingham (UAB)'s Computer Forensics program. The course is called "Investigating Online Crime", and is a mix of Computer & Information Science and Criminal Justice students who are interested in careers in cybercrime investigations. I had been looking for an example for them to work on digging into a case using a variety of online tools, and Maltego from Paterva. I did a quick change-out on the case we would look at, and asked them to follow their leads on this one instead. They certainly found some interesting things!
With ten minutes to go before class, I also asked one of my graduate students, Malware Analyst Brian Tanner, to run a quick dynamic analysis of the malware in the lab. He pulled out some IP addresses of interest for the malware and some of the students included those IP addresses and domain names in their Maltego charts as well. Here are some of the sites that the malware connects to immediately after launching:
myart-gallery.com - 184.108.40.206
isyouimageshere.com - 220.127.116.11
imgesinstudioonline.com - 18.104.22.168
yourimagesstudio.com - 22.214.171.124
imagesrepository.com - 126.96.36.199
delphiner.com - 188.8.131.52
searchzoeken.com - 184.108.40.206
After this basic setup, the malware infected box goes nuts doing advertisement clickfraud, jumping back and forth between a variety of search sites, and following the resulting links, such as "homesearchnova.com" and "top100search.com" and "www-news-today.com" and "ad.reduxmedia.com" and "ad.yieldmanager.com" and "abcsearch.com" and "lucky5forme.com"
In our particular case, we were for some reason doing a lot of "Bollywood" related traffic, doing searches such as "hindi film actor photo" and ending up following links to places like "bollywoodhungama.com"
Someone interested in Advertising Click-Fraud may want to dig into this particular malware much more deeply.
Some of the other interesting clusters the students found were based on nameserver - for instance the nameserver "ns1.alvobs.com" is used by many domains which seem to be involved in tricking people into infecting themselves. Here are some of the domain names that they found were being actively visited:
Many of these sites have already been shut down due to malware complaints. Hopefully Directi will look into the others as well.
One of the students ran the WHOIS on many of these domains and noticed that in addition to having invalid phone numbers (such as Tasha Chambers in Kearns Utah, who has the telephone: Tel. +001.98985647689) the pattern was to make either a gmail or a yahoo address using the first portion of the first and last names, so we had whois name/email pairs such as:
Chuck Jackson / firstname.lastname@example.org
Colette Milton / email@example.com
Dion Choiniere / firstname.lastname@example.org (ok, breaks that pattern!)
Jamie Sires / email@example.com
Leota Allison / firstname.lastname@example.org
Malcolm Cromer / email@example.com
Michael Barnes / firstname.lastname@example.org
Norman Troup / email@example.com
Queenie Ziegler / firstname.lastname@example.org
Robyn Hamilton / email@example.com
Tasha Chambers / firstname.lastname@example.org
Almost all of the domains that were owned by the people above had been terminated. Almost all of the domains registered to "PrivacyProtect.org" had NOT been terminated - which is probably because PrivacyProtect makes it hard to lodge a complaint based on the fact that the domain has false WHOIS information.
Domains that are still live are:
After class, Brian got back into the lab to prove to me why he was better than the "automatic unpacker" I had used in class. As usual, he was amazing. He stepped through the malware with a debugger until it had unpacked itself fully into memory, and then dropped the image from memory to reveal even more hard-coded website names, including:
which seem to be "backup" command & controls. When we launched we sent a string "/senm.php?data=" to "myart-gallery.com", but apparently if that domain is unavailable, the code will try "robert-art.com" or "superarthome.com" instead.