The demise of index1.php PornTube Video Malware

When a criminal finds a good thing, he stays with it. One criminal has been doing exactly that since May 17th. Every day since May 17th, the UAB Spam Data Mine has received spam messages with shocking, offensive titles promising to have videos of offensively described sex acts, which pointed to webpages ending in "index1.php". I started to write today's article saying that it had finally stopped, but unfortunately, a small batch trickled in just before I sat down to write. (Two domains were in that batch - estofadosgrando.com.br, which has already been fixed so that it is not able to deliver the malware - and rasini.it, which is still hosting a fake YouTube page showing a sexual act and attempting to infect visitors with their malware.)

What I can say is that something has happened this week to dramatically impact the volume of this malware-advertising spam. While there are times when the volume was more than 10% of all spam, for the month of October, this campaign averaged about 2% of the total spam volume per day. In May it was only a fraction of 1%, although present each day, in June it crossed 1%, peaking in mid-August where it was 3% of all spam we received.

During the course of this spam campaign, we received spam from more than 30,000 infected computers, which advertised malicious websites on more than 2,260 domains.

Each of those websites was an existing legitimate website, which was taken over by the criminals to allow them to post their malicious software on the site. Once their malware was in place, visitors would be invited to load software to view the movie (viewers with older browsers were infected even if they didn't ask to load the software). That malware in turn launched the installer for the then current fake Anti-Virus 2008 (currently calling itself AntiSpyware 2009).

A quick check of the 2,269 previously used domains shows that 166 of them are still hosting the malware.

Here are the links to the malware, in case someone would like to contact these webmasters and help them get this stuff removed.

We believe that the webmaster's own computer may be compromised. It appears that the criminal logs in to the websites using the administrator's userid and password, creates the directory where he is going to place his virus, and then uploads his files to it.

If you are a webmaster of one of these domains, we would very much like to see your server logs. Please email if you would be willing to share: gar@cis.uab.edu


!!DANGER!! IF YOU ARE NOT A PROFESSIONAL ANTIVIRUS RESEARCHER, THESE LINKS ARE NOT FOR YOU!!!!

193.238.209.17\hot_video.exe
195.145.241.232\pornvideo815uw.exe
198.66.130.103\videopornu376x.exe
1pajda1.borec.cz\video435_porn.exe
66.36.231.223\videporn920ma.exe
69.73.158.27\news_usama_video.exe
74.50.89.140\usama_video.exe
999.gen.tr\pornotube\video1439654.exe
999.gen.tr\pornotube\video54582.exe
999.gen.tr\pornotube\video76566.exe
999.gen.tr\pornotube\video8657786.exe
aberturaslif.com.ar\pornotube\video1439654.exe
aberturaslif.com.ar\pornotube\video54582.exe
aberturaslif.com.ar\pornotube\video76566.exe
aberturaslif.com.ar\pornotube\video8657786.exe
acalon.es\news\video463847.exe
acalon.es\news\video6432434.exe
acalon.es\news\video7656532.exe
acalon.es\news\video9865565.exe
achdepannexpress.com\news_usama_video.exe
addressprint.ru\news_usama_video.exe
agriturismovillavittoria.it\pornivideo03y45i.exe
agroredenoticias.com.br\pornotube\video1439654.exe
agroredenoticias.com.br\pornotube\video54582.exe
agroredenoticias.com.br\pornotube\video76566.exe
agroredenoticias.com.br\pornotube\video8657786.exe
aisal.ru\videoPorn218hdy.exe
aisoftware.ro\tvideo_my_hot.exe
alcaphone.com.br\hot_video.exe
aloidiasimoveis.com.br\pornvideo815uw.exe
alrafah.net\pornotube\video1439654.exe
alrafah.net\pornotube\video54582.exe
alrafah.net\pornotube\video76566.exe
alrafah.net\pornotube\video8657786.exe
amadicarpets.com\news_usama_video.exe
amiram.org.il\shoking_video_news.exe
amphonesinh.info\videporn920ma.exe
andreadelvalle.com\pornvideo815uw.exe
antonianki.ofm.pl\pornotube\video1439654.exe
antonianki.ofm.pl\pornotube\video54582.exe
antonianki.ofm.pl\pornotube\video76566.exe
antonianki.ofm.pl\pornotube\video8657786.exe
antytusk.pl\tvideo_my_hot.exe
asaib.info\video79885.exe
asociace.euweb.cz\news\video463847.exe
asociace.euweb.cz\news\video6432434.exe
asociace.euweb.cz\news\video7656532.exe
asociace.euweb.cz\news\video9865565.exe
atatac.com\hot_video.exe
autocalunnictvojv.sk\pornotube\video1439654.exe
autocalunnictvojv.sk\pornotube\video54582.exe
autocalunnictvojv.sk\pornotube\video76566.exe
autocalunnictvojv.sk\pornotube\video8657786.exe
axonsrl.com\videporn920ma.exe
aziendaruggeri.it\pornwvideo3u96.exe
azoreil-yar.ru\pornnvideo238vf.exe
bakir.bel.tr\video4326xx.exe
bali-hotels-budget.com\my_video_hot.exe
baselangues.emme.fr\video432654xd.exe
bba.kbu.ac.th\pornwvideo3u96.exe
beatnikteacher.com\pornivideo396.exe
benhurantiguidades.com.br\videopornu376x.exe
betosom.com.br\pornnvideo238vf.exe
billoepallina.it\news\video463847.exe
billoepallina.it\news\video6432434.exe
billoepallina.it\news\video7656532.exe
billoepallina.it\news\video9865565.exe
bolats.com\videoPorn218hdy.exe
bubugrupo.com\tvideo_my_hot.exe
buenosairesltd.com\tvideo_my_hot.exe
bux666.com\pornivideo396.exe
cadorgames.xf.cz\news\video463847.exe
cadorgames.xf.cz\news\video6432434.exe
cadorgames.xf.cz\news\video7656532.exe
cadorgames.xf.cz\news\video9865565.exe
calimh.com\news\video463847.exe
calimh.com\news\video6432434.exe
calimh.com\news\video7656532.exe
calimh.com\news\video9865565.exe
castropaes.com.br\pornvideo815uw.exe
cdlourdes.com\news_usama_video.exe
cedacbrasil.com.br\videporn920ma.exe
celinakochen.com.br\videokl_ds4.exe
center-eno.com\vide839pornn.exe
charley.wz.cz\news_usama_video.exe
chennai.needindya.com\pornotube\video1439654.exe
chennai.needindya.com\pornotube\video54582.exe
chennai.needindya.com\pornotube\video76566.exe
chennai.needindya.com\pornotube\video8657786.exe
click-cargo.com\shokinng_video.exe
cobrahk.wz.cz\video25653.exe
collectedthoughts.co.uk\news_usama_video.exe
coralis.ro\video.exe
crazynails.pro24.pl\videoXXX76s3545.exe
crisracebook.com\videoxxx834j.exe
derggi.com\my_video_hot.exe
dipucu.com\pornmvideo6d19.exe
dominuscobrancas.com.br\video_usama.exe
dsl-uebersicht.de\video.exe
dyc-1.celingest.es\new_usama_video.exe
eltubio.com.ar\tvideo_my_hot.exe
emporio-uk.it\my_hot_video.exe
erolantik.com\pornyvideo194vf.exe
escola-allegro.com\videporn920ma.exe
eskapada.info\video.exe
estudiscunit.com\videoQe32.exe
evagino.net\pornivideo03y45i.exe
eyecatchinggear.com\videoPorn218hdy.exe
farfalle.es\news_usama_video.exe
ferrucasdeltrenrojo.com.ar\tvideo_my_hot.exe
fitonit.cl\pornotube\video1439654.exe
fitonit.cl\pornotube\video54582.exe
fitonit.cl\pornotube\video76566.exe
fitonit.cl\pornotube\video8657786.exe
freddyrock.com.ar\videopornu376x.exe
gargamel.com.tr\my_video_hot.exe
geoteam.sk\pornivideo03y45i.exe
giovani.donorione.it\secret_archive.exe
gorodok-band.de\pornotube\video1439654.exe
gorodok-band.de\pornotube\video54582.exe
gorodok-band.de\pornotube\video76566.exe
gorodok-band.de\pornotube\video8657786.exe
grafo.com.tr\video.exe
grupamc.com\vide839pornn.exe
guillaumenery.fr\news_usama_video.exe
hardcore-united.com\pornmvideo6d19.exe
hiperlab.com.br\pornotube\video1439654.exe
hiperlab.com.br\pornotube\video54582.exe
hiperlab.com.br\pornotube\video76566.exe
hiperlab.com.br\pornotube\video8657786.exe
hisaryapi.com.tr\pornovideo729lo.exe
holdispharma.com\videopornu376x.exe
holytrinity.com.ua\videporn920ma.exe
horsetrainingsuperstars.com\news_usama_video.exe
hotel-lebellevue.fr\my_hot_video.exe
hotelxibalba.com\news_usama_video.exe
hsmicro.co.kr\pornotube\video1439654.exe
hsmicro.co.kr\pornotube\video54582.exe
hsmicro.co.kr\pornotube\video76566.exe
hsmicro.co.kr\pornotube\video8657786.exe
i-bournemouth.com\pornotube\video1439654.exe
i-bournemouth.com\pornotube\video54582.exe
i-bournemouth.com\pornotube\video76566.exe
i-bournemouth.com\pornotube\video8657786.exe
imparbrasil.com.br\hot_video.exe
inspirace.ic.cz\video4335gfd3.exe
integratedlabelsoutlet.com\pornnvideo238vf.exe
integratedlabelsusa.com\videoPorn218hdy.exe
ipago.info\my_hotvideo.exe
irisotel.com\my_video_hot.exe
isvo.nl\videopornu376x.exe
ivoireweb.biz\pornwvideo3u96.exe
iyc.org.tr\pornotube\video1439654.exe
iyc.org.tr\pornotube\video54582.exe
iyc.org.tr\pornotube\video76566.exe
iyc.org.tr\pornotube\video8657786.exe
jegupi.com\antivir\AntivirusXP2008Installer.exe
jesusnolar.org.br\pornvideo815uw.exe
jorgelopezdj.com\pornivideo03y45i.exe
josiasgranito.com\install_antivirus.exe
kamenipitarimilas.hr\videopornu376x.exe
korviet.net\pornivideo396.exe
koshkindom.vio.ru\video245fgw22.exe
label-sheets.com\my_hots_video.exe
laccsa.com\pornvideo815uw.exe
ladrigan.com\antivir\AntivirusXP2008Installer.exe
lafabak.com\pornotube\video1439654.exe
lafabak.com\pornotube\video54582.exe
lafabak.com\pornotube\video76566.exe
lafabak.com\pornotube\video8657786.exe
lichter-loh.com\pornnvideo238vf.exe
litecrete.com\my_hots_video.exe
lolo16.com\my_video_hot.exe
loritritel.com\pornotube\video1439654.exe
loritritel.com\pornotube\video54582.exe
loritritel.com\pornotube\video76566.exe
loritritel.com\pornotube\video8657786.exe
magdatur.com.br\video83porn.exe
marklenders.com\pornyvideo194vf.exe
marwad.com\my_hotvideo.exe
maximelaplante.com\video23574fr41.exe
maximumassetshield.com\videoXXX76s3545.exe
mediamatika.wu.cz\pornmvideo6d19.exe
membersvcs.com\antivir\AntivirusXP2008Installer.exe
merchant.directaccess.ro\videosecrt927.exe
miavai.com\my_hots_video.exe
michcom.cl\my_hots_video.exe
millenniummobilya.com\video857porn.exe
mkz.unas.cz\pornotube\video1439654.exe
mkz.unas.cz\pornotube\video54582.exe
mkz.unas.cz\pornotube\video76566.exe
mkz.unas.cz\pornotube\video8657786.exe
mobila.yard.ru\video7346.exe
momoelectronic.com\pornivideo03y45i.exe
motorpost.com\pornivideo03y45i.exe
muranga.es\pornotube\video1439654.exe
muranga.es\pornotube\video54582.exe
muranga.es\pornotube\video76566.exe
muranga.es\pornotube\video8657786.exe
music2000.eu\videosecrt927.exe
musiquote.it\tvideo_my_hot.exe
neocodec.com\free_vid.exe
netmalakay.com\videonjk568.exe
nrss.com.br\video623porn.exe
oarsoaldea.net\tvideo_my_hot.exe
oempricing.com\videoPorn218hdy.exe
omalissi.com.ar\pornivideo03y45i.exe
opcionsp.com\videosecrt927.exe
orf.ru\pornotube\video1439654.exe
orf.ru\pornotube\video54582.exe
orf.ru\pornotube\video76566.exe
orf.ru\pornotube\video8657786.exe
orsoft.es\video23678fe3.exe
otromadrid.dmkhost.net\pornotube\video1439654.exe
otromadrid.dmkhost.net\pornotube\video54582.exe
otromadrid.dmkhost.net\pornotube\video76566.exe
otromadrid.dmkhost.net\pornotube\video8657786.exe
paoloterni.com\videopornu376x.exe
payalweb.cusiteonline.com\videoPorn218hdy.exe
pegasolar.com\videoPorn218hdy.exe
penzion-hradsky.cz\video354rporn.exe
perezmu.com\news_usama_video.exe
pfmsindia.biz\hot_video.exe
pichelariadias.com\my_hot_video.exe
polatenerji.com\my_video_hot.exe
portaledonna.org\news_usama_video.exe
ppctotal.com\my_hotvideo.exe
precision.needindya.com\pornovideo729lo.exe
previarch.com\pornotube\video1439654.exe
previarch.com\pornotube\video54582.exe
previarch.com\pornotube\video76566.exe
previarch.com\pornotube\video8657786.exe
pro-heni.hr\pornotube\video1439654.exe
pro-heni.hr\pornotube\video54582.exe
pro-heni.hr\pornotube\video76566.exe
pro-heni.hr\pornotube\video8657786.exe
quintametalica.com\my_hots_video.exe
regv.net\videosecrt927.exe
remcovandermeide.nl\pornovideo729lo.exe
ringrajeradio.com.ar\video3468ht34.exe
rollarampiberica.com\my_hots_video.exe
rovinj.ch\videopornu376x.exe
rubblemaster.pl\pornnvideo238vf.exe