“Middleman” rogue distributor switched to a file infector
Ok, if your browser sometimes strays into the corner of the World Wide Web where there are lots of pictures and videos of naked ladies, this is for you.
Antex Vlad goes back to 2004 when he was an affiliate of Coolwebsearch.com and involved with CoolWebSearch home page hijackings.
In 2009, he began re-directing to the SecurityTool rogue and, as of Monday, is now distributing the Bamital file infecting Trojans. Bamital will take over your browser and redirect search results.
The URL porno-video-hunt (dot) co (dot) cc/movies/get (dot) php?name=Skvirting_Movie_36 (dot) mpeg re-directs to his new fake-codec scam on porntubehunt (dot) com/w/video/
It is from here you can get hit, not with a rogue but with the Bamital file-infecting virus. porntubehunt (dot) com/w/video/player_update (dot) exe
Once your machine is infected, clicking on the images re-directs to the legitimate Pornhub.com
You first get to a page to click for free cracks
(Click graphic to enlarge)
You then get a page that mimics pornhub (dot) com and clicking on an image generates the Fake Play button
(Click graphic to enlarge)
Next you get what would appear to be a movie to download and run, however, this one infects the Explorer.exe and Winlogon.exe.
(Click graphic to enlarge)
Our new VIPRE detection Trojan.Win32.Bamital.i (v) detects the downloader so VIPRE will block the Trojan. VIPRE has blocked Antex Vlads sites for a long time now. We have detected the downloader.
(Click graphic to enlarge)
BEST OF ALL! Those who use VIPRE Web Filtering or Clear Cloud, will never come close to becoming infected!
Thanks to Patrick Jordan for the great analysis.
Tom Kelchner