TOKYO (MacHouse) – Several hours ago, a cyber spam terrorist circulated a short spam comment involving five vBulletin websites. (See Screenshot 01.) The following is a list of the domains where forums contain at least one spam profile.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: attc.edu.au |
 Screenshot 03 – Source: attc.edu.au |
Visiting the website at attc.edu.au, it looks like an education-related website for non-native-English speakers. (See Screenshot 02.) Visiting the spam profile found at http://www.attc.edu.au/forum2/member.php?u=1597, you will find a hyperlink under a sexually-explicit phrase starting with the word ‘mature.’ (See Screenshot 03.) The underlying link is http://vbestserv.org/ds/go.php?sid=1. This spam website is believed to determine your next destination, depending your geographic location, referer and other aspects. One destination is the website at videopreviewshow.com, where you will be forced to download a file titled c-setup.exe, which is delivered from http://216.240.151.112. (See Screenshot 04.)
 Screenshot 04 – Source: videopreviewshow.com |
 Screenshot 05 – Source: kukuzhmuku.com |
 Screenshot 06 – Source: kukuzhmuku.com |
Another destination is a fake PornTube website at kukuzhmuku.com. (See Screenshot 05.) The story is the same as other fake PornTube websites. Clicking on one of the sexually-explicit images, you will be forced to download a suspicious file, which is delivered from http://download-top-software.net. (See Screenshot 06.)
Our preliminary analysis shows that the Watch Free Movie website found at the domain of videopreviewshow.com seems to be hosted in Ukraine. As for the fake PornTube website, it appears to be hosted in Los Angels, California, USA. We will have a more detailed report in several hours.
