Search Engine Optimization & Web Hosting Solution

TOKYO (MacHouse) - As we reported earlier, an organized cyber criminal group is currently running a dangerous campaign to possibly infect Internet users with computer viruses. Social networking websites or similar such as those at webjunction.org, work.com and wis.dm are exploited with spam profiles. (See Screenshots 01-3.) All these spam profiles contain links to http://vbestserv.org/ds/go.php?sid=1. The criminal group uses this domain to redirect Internet users to various malicious websites.

Screenshot 01 - Source: WebJunction

Screenshot 02 - Source: Work.com

Screenshot 03 - Source: wis.dm

Redirected by vbestserv.org, one of destinations is a fake video website titled YuoTube. (See Screenshot 04.) The same fake video website is hosted by more than a dozen servers, whose IP addresses include 66.249.155.147, 70.254.144.26, 67.176.243.41, 76.105.33.169, 84.75.179.194, 79.37.67.246, 88.160.254.35 and 99.187.194.59. A couple of servers are hosted by Comcast Cable Communications. One of them is hosted by SBC Internet Services. As we reported several hours ago, these servers are all exploited to make Internet users download a file titled setup.exe.  

Screenshot 04 - Source: YuoTube

Screenshot 05 - Source: MacHouse

Screenshot 06 - Source: MacHouse

The updated definition of Norton Internet Security may not find anything suspicious in the setup file. Screenshot 05 shows that scanning the file itself has led nowhere even right after updating the virus definition. So we double-clicked on the setup file. Screenshot 06 shows that the same anti-virus application has detected several malicious codes that include ld01.exe, .MH690, Trojan Horse and Downloader. Furthermore, if we scan the entire C drive… Norton Internet Security finds malicious cookies tracking websites at yieldmanager.com, doubleclick.net, ad.yieldmanager.com and so forth. (See Screenshot 07.)

Screenshot 07 - Source: MacHouse

Screenshot 08 - Source: MacHouse

So who is behind the redirection website hosted at the domain of vbestserv.org? This domain points to a pair of nameservers, which are ns0.hqhost.net and ns1.hqhost.net. Running a traceroute search on these nameservers individually, we end up with the IP addresses of 88.214.192.200 and 88.214.228.200. According to RIPE, these IP addresses are assigned to an organization called UAOnline HQHost or similar. (See Screenshot 08.) This organization seems to have Ukraine and Russian connections. We won’t show you why we thinks so this time.

Can we have the malicious redirection website at vbestserv.org shut down? Chances are that we can. But we won’t waste our valuable time for now.

The following QuickTime documentation video shows what happened after double-clicking on the setup file downloaded at http://88.160.254.35.






Click on the button to watch a short documentation video.
Click on the button to watch more documentation videos.






Related stories:

Security Alert: Beware of YuoTube Secret Video - Part 1
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses - Part 2
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses - Part 1
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites - Part 2
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites - Part 1
Beware of Fake PornTube Website at KUKUZHMUKU.COM Hosted in California - Part 2
Beware of Fake PornTube Website at KUKUZHMUKU.COM Hosted in California - Part 1

********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?