August 26, 2008 22:04

    Continuing the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys  .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale  .com   
bcodecnow .net
best-tranny .com   
bestguyportal .com
bestmoviez .com   
central-xxx .com
downlfreesexgirlbeach .com   
gallery-boy .com
hiosexywomensxxxgirlsx .com   
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com   
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com   
the0download .com
wikiei .com       
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com   
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

Link: http://feeds.feedburner.com/~r/DanchoDanchevOnSecu...

All news for November 19, 2008

19:33	Schneier on Security: RIAA Lawsuits May Be Unconstitutional
16:00	Dancho Danchev: The DDoS Attack Against Bobbear.co.uk
12:14	Schneier on Security: Skein and SHA-3 News
10:15	Dancho Danchev: New Web Malware Exploitation Kit in the Wild
04:19	Martin McKeay: Network Security Podcast, Episode 128

All news for November 18, 2008

19:57	Dancho Danchev: Will Code Malware for Financial Incentives
19:46	Schneier on Security: Schneier for TSA Administrator
16:34	Jeff Jones Security Blog: SIRV5 Vulnerability Trends Webcast - 2 of 2 - Microsoft Trends
12:32	Schneier on Security: The Neuroscience of Cons

All news for November 17, 2008

11:11

Schneier on Security: Most Spam Came from a Single Web Hosting Firm

All news for November 16, 2008

03:00

Martin McKeay: Congratulations to April and Jason

All news for November, 2008

All news for 2008