Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

Well, THAT didn't take long...

Michael Jackson is scarcely a few days dead and the malware writers are hard at work using the news of his death to spread computer viruses.

This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael's death on the Internet, and I could see it (oh boy!) by visiting

http://youtubemichaelj.com

*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don't know what you're doing. This site WILL attempt to download a Windows virus onto your computer.

The Web site looks just like YouTube, and presents a phony blank movie player image with a "An error occurred, please try again later" message in it, then attempts a drive-by download from

http://youtubemichaelj.com/Codec/120.exe

The download is a bit unwieldy for malware (1.8 MB in size)--much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don't believe I've seen this particular malware before.

The registration information is most likely bogus. The site was registered yesterday:

whois youtubemichaelj.com

Whois Server Version 2.0

Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010

Registrant:
T---- G---- (youtubemichaelj.com)
(WHOIS information redacted)
US

Registrar: DomainPeople Inc.

Domain Name: youtubemichaelj.com
Created on .............2009-06-29-14.36.03.127000
Expires on .............2010-06-29-14.36.03.000000
Record last updated on .
Status .................ACTIVE

Administrative Contact:
T---- G----
(WHOIS information redacted)

The site's hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they're fairly clean, and a bit pricey. I suspect that the site will be disabled soon.

Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren't fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.
Tags: computer security, computer viruses
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 7 comments