TOKYO (MacHouse) – Yesterday, we reported the existence of a computer-virus-distributing website. The domain is turbo-codec.com. It was still active right before we published this article. We noted that the website at the domain of turbo-codec.com is hosted by a California-based web hosting company called cernel.net. This time, we have devoted some time and do some investigations around this web hosting.
5 months ago, we found out that cernel.net hosted another virus-distributing website. This website is gone. But the website at turbo-codec.com is still running. In fact, there are more than just one virus-distributing website under this host at present.
 Screenshot 01 – Source: cernel.net |
 Screenshot 02 – Source: Domain Tools |
 Screenshot 03 – Source: Yahoo! Maps |
According to cernel.net’s website, its office location is 23404 W. Lyons Ave #223, Santa Clarita, CA 91321, USA. (See Screenshot 01.) The same address is provided for its domain registration. (See Screenshot 02.) And the same phone number found in the domain registration also appears at cernle.net’s website. It’s 6613470577. According to Yahoo! Maps, the given address doesn’t exist. (See Screenshot 03.) WhitePages.com also says there are no records for the given address or phone number. (See Screenshot 04-5.) However, we don’t necessarily mean that cernel.net’s office doesn’t exist with the given information. It’s possible that Yahoo! maps’ and WhitePages.com’s data are wrong.
 Screenshot 04 – Source: WhitePages.com |
 Screenshot 05 – Source: WhitePages.com |
 Screenshot 06 – Source: demoticket.net |
 Screenshot 07 – Source: endticket.com |
 Screenshot 08 – Source: hqticket.net |
 Screenshot 09 – Source: niceticket.net |
 Screenshot 10 – Source: nitro-codec.com |
 Screenshot 11 – Source: the-ticket.net |
About 10 hours ago, we found 6 more websites distributing files containing computer viruses. (See Screenshot 06-11.) We found them with help of www.pcthreats.com and www.malwaredomainlist.com. These virus-distributing websites share at least 2 characteristics. No. 1, the domain is registered through ESTDOMAINS, which is supported by many cyber criminal organizations. (See Screenshot 12-7.) No. 2, they are all hosted by cernel.net.
 Screenshot 12 – Source: Domain Tools |
 Screenshot 13 – Source: Domain Tools |
 Screenshot 14 – Source: Domain Tools |
 Screenshot 15 – Source: Domain Tools |
 Screenshot 16 – Source: Domain Tools |
 Screenshot 17 – Source: Domain Tools |
If you trace any of the nameservers designated by the domains shown above, your destination will be… cernel.net… All these virus-distributing websites are hosted by cernel.net. By the way, even the domain of cernel.net is registered through ESTDOMAINS. What a coincidence, huh!?
What are chances that cernel.net is hosting these virus-distributing websites without their knowledge? Unless their employees are all blind, such probability is zero.
References:
www.pcthreat.com: Remove Video ActiveX Codec
malwaredomainlist.com: Malware Domain List
Warning: 10 Websites with Chinese Country Domains Distributing Mac-Targeting Computer Virus (2)
Warning: 10 Websites with Chinese Country Domains Distributing Mac-Targeting Computer Virus (1)
What happened to HQCODECVIP.COM?
Multiple Hacked Websites and Possible Trojan Attack Targeting Mac Users
