The following site is a great YouTube replica that really tricks you as all video links are actually working properly.
But it has a dirty secret: The site pushes a malicious Java drive-by download from: secretyoutube.com/YouTube.jar (VirusTotal (7/42) report here).
The applet contains one class (YouTube.class) whose intent is fairly straightforward: To download and run an executable.
The file comes from p-file.su/data2/10058-1.exe (VirusTotal (3/42) report here).
The server’s IP for p-file.su is 220.127.116.11, Romania.
Analysis of this binary is made complicated due to a different behaviour if the sample is run in a VM (at least in VirtualBox). In my tests with an XP VM, the machine slows to a crawl and loses Internet connection.
If you run this in a physical machine you will notice the creation of a service:
It does not appear to be a random name, but is invisible to the OS (you will need special tools to detect its presence, thus indicating a typical rootkit infection).
Quickly after, several remote connections are made to 18.104.22.168:
This IP is well known:
There are a couple of domains associated with it:
Registered to a certain Andrei Kudryavcev from Russia.
The hosting company is Offshore hosting LTD with the server being located somewhere in Europe.
Let’s get back to the ASN: 49806. We find a direct connection with SpyEye/Zeus:
Our friend over at Malc0de.com has several pages of SpyEye related URLs belonging to AS49806:
The Zeus tracker has also logged this ASN:
That’s it for this case so far. I will keep an eye on this very active ASN to see what’s next to come from there.
Steven Burn added up a few more domains on 22.214.171.124:
In fact, there are many more bad domains within the IP range.
Leave a reply