?

Log in

No account? Create an account

Previous Entry | Next Entry

Well, THAT didn't take long...

Michael Jackson is scarcely a few days dead and the malware writers are hard at work using the news of his death to spread computer viruses.

This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael's death on the Internet, and I could see it (oh boy!) by visiting

http://youtubemichaelj.com

*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don't know what you're doing. This site WILL attempt to download a Windows virus onto your computer.

The Web site looks just like YouTube, and presents a phony blank movie player image with a "An error occurred, please try again later" message in it, then attempts a drive-by download from

http://youtubemichaelj.com/Codec/120.exe

The download is a bit unwieldy for malware (1.8 MB in size)--much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don't believe I've seen this particular malware before.

The registration information is most likely bogus. The site was registered yesterday:

whois youtubemichaelj.com

Whois Server Version 2.0

Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010

Registrant:
T---- G---- (youtubemichaelj.com)
(WHOIS information redacted)
US

Registrar: DomainPeople Inc.

Domain Name: youtubemichaelj.com
Created on .............2009-06-29-14.36.03.127000
Expires on .............2010-06-29-14.36.03.000000
Record last updated on .
Status .................ACTIVE

Administrative Contact:
T---- G----
(WHOIS information redacted)

The site's hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they're fairly clean, and a bit pricey. I suspect that the site will be disabled soon.

Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren't fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.


Comments

( 7 comments — Leave a comment )
suzmonster
Jun. 30th, 2009 07:36 pm (UTC)
You make the best geek porn ever, you know that darlin'? You really know how to excite me! I love your posts like this. *gushes*
zastrazzi
Jun. 30th, 2009 10:25 pm (UTC)
holy mother of ... damn, site is already unresolveable. Please tell me you managed to snag a copy of that and are willing to share :)
tacit
Jun. 30th, 2009 10:30 pm (UTC)
I managed to grab a copy of the malware itself. If you want a copy for analysis, email me off LJ at tacitr (at) aol [dot] com and I'll get you a copy.
sweh
Jun. 30th, 2009 10:40 pm (UTC)
I'm sure I saw something on ElReg about MJ malware the day of...

Ah, here we go; a mere 8 hours. Links through to Websense.
aztecknight
Jul. 1st, 2009 01:06 am (UTC)
I am surprised it took this long
zotmeister
Jul. 2nd, 2009 04:05 pm (UTC)
Curious tangent: you've got me wondering what a "Billy Mays virus" would do if someone created one. I'm guessing it would lock your speaker volume all the way up and attempt to order things from TeleBrands. (No offense to the memory of the man - it's an homage, really.) - ZM
(Anonymous)
Sep. 28th, 2009 12:57 pm (UTC)
Get all of your facts
My name is Tawny Grant and I actually had my credit card # stolen and used for this horrible website. I'm not the one who registered this site. To be clear I actually contacted the web hosting site the day of the charge and requested that they close the site down and refund my money. The FBI has been investigating the matter and I'd like to note that I have been in complete cooperation with the whole investigation. I would also like to request that you remove my name and home address from your public site and possibly check your facts before publishing my name in connection to virus writers.
Thank you.
Tawny
( 7 comments — Leave a comment )