These campaigns are also starting to get so sophisticated, that analyzing a single one will expose another massive SQL injection, reveal several blackhat SEO domain farms, let you obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue software if you manage to expose the entire scammy ecosystem through all the redirections put in place to make it harder to get to the bottom of it.
What's important to keep in mind when assessing and shutting down such comprehensive campaigns is that on the majority of occassions the front end domains as well as the secondary ones are all attempting to download the codecs from hardcoded locations. Consequently, you have 50 front end domains and another 50 as secondary redirection points all attempting to download the codecs from 3 download locations. Once again, the malware authors efficiency centered mentality emphasising on the easy of management for the campaign is making it possible to.
Here's are some currently active fake celebrity video sites serving malware including the codec redirectors :
stillnaked.net
funkytube.net
starvid.info
yetmorefun.net
hotnudity.net
alreadynude.com
celebvids.info
sexystar.name
hotserved.net
thestars2008.com
nudde.net
gottabigfuick.com
moviecity.se
gossip-starz.com
tmz-video.com
js0.info
superfakamyvideo.com
hdavidz.com
blog-x.in
tmz-video.com
newhotpeople.com
dirty-gossips.com
flaxxvid.com
videoid.info
realvideofree.com
yetmorefun.net
popvids.info
ihavewetfuckpussy.com
virus-scanonline.com
adultx2008.com
lux-software2008.com
As well as some sample subdomains for traffic acquisition purposes, since all of these have already been crawled by search engines :
jodie.popvids.info
jessica.popvids.info
tila.popvids.info
paris.celebvids.info
vanessa.celebvids.info
britney.nudde.net
paris.nudde.net
kardashian.nudde.net
vanessahudgens.yetmorefun.net
lindsaylohan.yetmorefun.net
britneyspears.yetmorefun.net
parishilton.yetmorefun.net
kardashian.nudde.net
We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com we have an injected redirector - js0.info/?s=16&k=pedophile+sex+stories&c=5 and js0.info itself is a blackhat SEO operation that's aggregating generic search traffic like this :
js0.info/16/5/ragnarok+hentai
js0.info/15/4/antivirus+characteristic
js0.info/16/5/msn+monkey
js0.info/15/4/airplus+internet+security
Once accessed, you get redirected to through
two separate redirection campaigns at searchaw.info/sa/in.cgi?16; and hmel.info/stds13/go.php, until you finally get to the codecs.
With blackhat SEO-ers already well developed inventory of topical junk content, and experience in what's popular content and what's not, the entry barriers for malware authors into the traffic acquisition joys of blackhat SEO has never lower.
