Sunbeltblog comments
Here's one more I haven't seen mentioned yet:
hXXp://clusif.free(dot)fr
Yeah, actually I mentioned clusif before... 
I sent McAfee a hassling email that, ironically, their antivirus software doesn't detect most of these Trojans DESPITE the fact that the McAfee SiteAdvisor *users* are flagging the sites as malicious, and the downloads as malware (and many of the SiteAdvisor feedbacks point to Sunbelt's blog here as evidence). I think McAfee is working on a heuristic detection, though.
Since McAfee antivirus is bundled on some new PCs and is provided free to users of some ISPs (like Comcast in my area), as well as many corporate customers and paying aftermarket customers, it would be nice to see them get with the program here.
I'm using Kaspersky antivirus software myself, and they are amazingly quick to get virus signatures for new Zlobs, but even they have missed some initially. I don't normally go to "that kind of website" in the first place, but it's interesting to observe the game of cat-&-mouse going on here.
A quick question.
I tried downloading and installing these on a VM. I was curious to see what kind damage they did. However, they don't seem to do anything bad. Using Autoruns from Sysinternals, I didn't see any autostart entries added for these bad programs.
So, do these bad codecs include some kind of rootkit technology or do they just avoid doing anything bad in a VM?
SANS has a brief writeup stating that these Trojans can be polymorphic, too. http://isc.sans.org/diary.php?st...hp?
storyid=1872
Surprisingly, Intercage does have some legitimate customers. But frankly for most admins blocking 69.50.160.0 - 69.50.191.255 is a sensible choice as most of it's a sewer.
Rootkit technology is used for the dvdacess.net and tvcodec.com fake codecs which are not the same as the other codec scams as these change your dns entries.
The fake codes generally won't run in a virtual environment.
2authors. Thanks for info, gyus, but where are you finding all this fake-codec sites?
All of these codecs have Virtual Machine detection. They will not do anything on a VM other than add uninstall entries, and if its a dns changer, changes the DNS.
glunik -- it's our job
Thanks for the info. I figured it was VM detection. Anyways, I'm not curious to run these on a real machine to "see what happens" when you run these. :D So anyways, I'll let the pros play with it.
Is there a blacklist service for hosting companies of this nature?
Because there ought to be.
Please someone close these sites with virus/trojan/browser exploits:
1) aiutamidalei.com (http://13.aiutamidalei.com /manuali-motherboard/)
2) suacorte.com (http://15.suacorte.com/ overclockprocessori/)
3)quellamaniera.com (http://15.quellamaniera.com/ venditacpuamdathlonxponline/)
4) nelmortalcorpo.com (http://1. nelmortalcorpo.com/manualiplc/)
5) colpidiventura.com (http://18. colpidiventura.com/manualidaewoo/)
6) sifuassolto.com (http://2. sifuassolto.com/manuali-rete/)
7) vidicostui.com (http://20. vidicostui.com/manuali-istruzioni/)
nuovotitolato.org (http://13. nuovotitolato.org/tavolaperiodicacompleta/)
9) posseduto.com (http://1. posseduto.com/tavolaperiodica/)
10) unaimmagine.com (http://13. unaimmagine.com/cambiasfondo/)
11) chesospettava.com (http://18. chesospettava.com/ gamberonialsale/)
12) irradiazione.com (http://15. irradiazione.com/ definizione-vettore/)
Just post these to Castlecops -- www.castlecops.com/pirt. These get taken down just like phishing sites.
Commenting by HaloScan
