Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malware Megabucks International - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Megabucks International

A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links.

Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains.

The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary.  Installobject-dot-Com resolves to, a known bad address range for years - see

AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, and Trend Micro has it as TROJ_ZLOB.DND

Adult sites from China, nasty trojans from Ukraine - the Malware Megabucks International, Inc, at its best.


385 Posts
ISC Handler
Jul 30th 2007

Sign Up for Free or Log In to start participating in the conversation!