[en] Urausy (Fake Codec) Malvertising (or Hack?)

April 2013, i spoke about Urausy Fake codec : http://www.malekal.com/2013/04/15/urausy-et-faux-codec-site-de-streaming-pornographiques/
Thoses Fake codec are spreading via hacked Porn Website, adding redirector.
previsous domains was xrstats.com and qoqoz.com domains.

Today i4xxxporn.com/counter.js (198.27.75.11 – Registrar MONIKER ONLINE SERVICES LLC)
Ratio de détection : 1 / 39: https://www.virustotal.com/fr/url/e3338ba99697db2d7ee9a93e398262a20a61757008a34222d798bc709e662933/analysis/1378747955/

Example :

http://bingomovies.com/
http://bingomovies.com/category/192/bus/ctr/1/
http://bingomovies.com/style.css
http://i4xxxporn.com/counter.js
http://i4xxxporn.com/v/cl.php?r=1&slyun=1KaxreDWrJ6uVZundHDS1Ojm2YWt2K5kaG0iYtza4OLS0ujO2aZhlm9tlafsrZ6dlMnjoJScbl%2Fc0Juuzp2mlallbqY6N62O7ubK1dHO2FVunDoypp605p%2BUop%2BWpZiZZXLY3tjcyYWtzq5kaWgxNqin7K2cnZTI46ihp3J5lafsrZedlKvGVW6mOjGkppvlysfb19mWp6hybJWn7K2XnKyH3KenozovotWt693b4tTmoWGWb22i4qjW0ZHizeRVbqY6Oa2O6OPK0dfX6aWfVTtzrZ6qrYfL5tnkbWJiaTTr5PHj1NXgk9eioGIiO%2BamsK2H1dfL2aWYpSI75qawp5%2BF2tnoo21iLzWj0N7hk8bh0qOalJ9sZeXlqNXa1ubeoZqcpWwt2eHc3tiQ09Ohop%2BXLW3U2qjc08fX3aKbp6BsP6nkq%2BuYnKWcrWlVbn0%3D
http://e6dc1131c7.com/?id=05

=> http://malwaredb.malekal.com/index.php?hash=caefae83524631f4ce9888552c252f89

Urausy_FakeCodec_Malvertising4

 

Today, i found an advertising leading to an Urausy video.hd_57918.zip :

http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=marines&c=1&n=&r=
http://www.amoursale.com/ (78.140.165.164)
http://www.amoursale.com/style.css
http://www.amoursale.com/js/jquery.scripts.js
http://www.amoursale.com/scj/cgi/rot_in.php?crc=1309091548595825
http://www.amoursale.com/category/fran%C3%A7ais/?34x2x1023392
http://www.amoursale.com/category/fran%c3%a7ais/?34x2x1023392&
http://eududxee.prnolnline.biz/ptmaungg.php (193.105.134.197)
http://eududxee.prnolnline.biz/pa5f00bb0b7.php?id=aJTkWYJimuLcxUyM4VAPrePUw0sSpngJpnwbLURreGjsrIHfzVKOfwdA4qsGXu8_hp09FCyj9NhR7xP5YZ_uSscsl-TY20qU_ihS-KaJ3EsMr38XonkVMk9tcGTmr5jfyk-QbxAo_awGVPdizrc2GmDktg,,

The iframe on amoursale.com leading to eududxee.prnolnline.biz/ptmaungg.php

Urausy_FakeCodec_Malvertising

video.hd_57918.zip on http://eududxee.prnolnline.biz/pa5f00bb0b7.php
=> http://malwaredb.malekal.com/index.php?hash=26cf1635b2a53378de4f7db84a7fa36e
Urausy_FakeCodec_Malvertising2

Urausy_FakeCodec_Malvertising3

Domain Name: PRNOLNLINE.BIZ
Domain ID: D55784357-BIZ
Sponsoring Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Registrar URL (registration services): www.publicdomainregistry.com
Domain Status: clientTransferProhibited
Registrant ID: DI_12179428
Registrant Name: Olim Lindarayd
Registrant Organization: N/A
Registrant Address1: 55 Fuller terrace
Registrant City: Albany
Registrant State/Province: New York
Registrant Postal Code: 12205
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +001.518869652
Registrant Email: olimlindarayd@yahoo.com

 

https://www.virustotal.com/fr/url/3c49cb9719660207375972bebf4ba409579922243e42d781deee0d6df69521a1/analysis/1378747643/

URL normalisée :http://eududxee.prnolnline.biz/ptmaungg.php
Ratio de détection :2 / 39
Date d’analyse :2013-09-09 17:27:23 UTC (il y a 0 minute)

 

It’s difficult to know if amoursale.com is owned by badguys or if it was a hacked.
I think amoursale.com is around for a while.

The traffic for France is not bad 🙂

Urausy_FakeCodec_Malvertising5

EDIT September 29

While amoursale.com still delivering an Urausy zip.
I found a TrafficHolder Malvertising

http://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=marines&c=1&n=&r=
http://tubesexxx.net/tds/ (198.27.75.11) – 0 @ VT https://www.virustotal.com/fr/url/4e621a74848983335655e7e0081ea376f0db6c36fc653589aaf17dabb21105e8/analysis/1380479795/
http://hunterporntube.com/
http://i4xxxporn.com/counter.js (198.27.75.11) – 2 @ VT https://www.virustotal.com/fr/url/52dff8cc7c6dea6be40fbeb7ea77544a43d2c845c7e3e106785e4e175448e611/analysis/1380479823/
http://f5bc2e828b.com/?d=02

http://malwaredb.malekal.com/index.php?hash=73eef5529dfbcb6077e7078b649fcfc0

Domain Name: TUBESEXXX.NET
Registrar: EVOPLUS LTD
Whois Server: whois.evonames.com
Referral URL: http://www.evonames.com
Name Server: NS1.TOPDNS.ME
Name Server: NS2.TOPDNS.ME
Status: ok
Updated Date: 03-sep-2013
Creation Date: 13-feb-2013
Expiration Date: 13-feb-2014

Urausy_FakeCodec_TrafficHolder

Urausy_FakeCodec_TrafficHolder2

Urausy_FakeCodec_TrafficHolder3

Urausy_FakeCodec_TrafficHolder4

EDIT – Mars 2014

some mouths later, amoursale.com is still delivering malicious content.

http://amoursale.com/category/fran%c3%a7ais/?34x2x1023392&
http://puydicko.prnolnline.biz/xovhmdgf.php
http://amoursale.com/scj/cgi/rot_in.php?crc=1403022837354649
http://www.yourlustmedia.com/spots/sp/delivery/js.php?advplaces=64
http://puydicko.prnolnline.biz/pf0a0faa2e8.php?id=aJTkWYxpmuDbwkuF4VAPqePXwUoSrHwWvXsXIDY7T276qYycmVOLcR83o5ILX_wj0aBJek6t881Ag3zcIZHnX5tqhPaskBnWsUAFq_zWw0gMr29h-jtBdGZ8LTO17tDPxwrXO0p4pa0GbrY2z6M,

amoursale as Urausy affiliation is dead, the delivering malware is now a scareware :WindowsAntivirusBooster_scareware

EDIT – April 10

Fun, with the fake Codec –  it’s also redirecting to Browlock Ransomware :

FakeVideo_Browlock FakeVideo_Browlock2

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 20 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *