The Latest in IT Security

Fake YouTube infects PCs with SpyEye Bot

11
May
2011

The following site is a great YouTube replica that really tricks you as all video links are actually working properly.

secretyoutube.com

But it has a dirty secret: The site pushes a malicious Java drive-by download from: secretyoutube.com/YouTube.jar (VirusTotal (7/42) report here).

The applet contains one class (YouTube.class) whose intent is fairly straightforward: To download and run an executable.

The file comes from p-file.su/data2/10058-1.exe (VirusTotal (3/42) report here).

The server’s IP for p-file.su is 95.64.10.203, Romania.

I noticed this file is also being pushed from legitimate YouTube video pages (here, there, or here) as either a Bot for video games or to bypass “Sharecash” surveys:

Analysis of this binary is made complicated due to a different behaviour if the sample is run in a VM (at least in VirtualBox). In my tests with an XP VM, the machine slows to a crawl and loses Internet connection.

If you run this in a physical machine you will notice the creation of a service:

It does not appear to be a random name, but is invisible to the OS (you will need special tools to detect its presence, thus indicating a typical rootkit infection).

Quickly after, several remote connections are made to 91.213.217.190:

This IP is  well known:

There are a couple of domains associated with it:

updateservers.kz
windriverupdate.kz

Registered to a certain Andrei Kudryavcev from Russia.

The hosting company is Offshore hosting LTD with the server being located somewhere in Europe.

Let’s get back to the ASN: 49806. We find a direct connection with SpyEye/Zeus:

Our friend over at Malc0de.com has several pages of SpyEye related URLs belonging to AS49806:

The Zeus tracker has also logged this ASN:

That’s it for this case so far. I will keep an eye on this very active ASN to see what’s next to come from there.

Jerome Segura

Update:

Steven Burn added up a few more domains on 91.213.217.190:

cloudnanoconnnection.info
counter2b.zapto.org
updatebackupserver.com
updatebackupserver.kz
updatebackupserver.ru
updatebackupserver.su
updateconnection.com
updateservers.kz
windriverupdate.kz
winupdateservices.com

In fact, there are many more bad domains within the IP range.

  1. ryan May 25, 2011

    i have same problem PLZ IF U FIND THE WAY TO STOP IT TELL ME!!!! im 12 lol and if my dad finds out im permently stuffed

Leave a reply


Categories

THURSDAY, SEPTEMBER 21, 2017

Featured

Archives

Latest Comments

Social Networks