SoftwareForTubeview Codec Scheme's Continued Success

A rogueware distribution gang known for their use of Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and malware (similarly named to softwarefortubeview.4000.exe) from being served at to exclusively

This group appears to be getting quite a bit of traction out of their ongoing FakeAv scheme, in addition to the phishing activities. They started out in late 2008 on with tubeviewer.95.exe, and in mid-January, moved tubeviewersetup..exe to several other addresses:

and since May 6th, they have served softwarefortubeview.40019.exe (among other names) at, for which we see multiple domain names registered:

You can see our previous posts regarding their FakeAv malware downloaders, with some of the most popular scareware messages: “you have a security problem” and “security system has detected spyware infection!”.

The redirection to this executable most often comes from blog posts offering free current movies, like “Watch Push Movie Online Free”. You get what you pay for. Notice the video frame at the bottom of the post. Avoid this blog and others like it:

“Anika”, the poster of the phony blog above, also set up a number of other blogs, hoping to capture more curious cats looking for “movie online free”:

Eventually, clicking on the posts’ link sets up the browser for a series of javascript redirections to “watch-for-free.net”, where the phony executable is finally offered to watch the non-existent flick.
For example, a few clicks for a “movie online free” Mr. Bean video link redirects the browser through several links and eventually the fake video iframe coughs up the download prompt for the gang’s malware:
hxxp://watch-mr-bean-movie-online-free.blogspot.com/ –>
hxxp://video-trailers.net/hotnews.php?id=Mr._Bean –>
hxxp://watch-for-free.net/hotnews.php?id=Mr._Bean&was=1 –>

Update: an excellent post describing related activity and infrastructure at the GazTranzitStroyInfo site and related russian ISP’s. And the group moves their malware to yet another provider.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>