A rogueware distribution gang known for their use of Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and malware (similarly named to softwarefortubeview.4000.exe) from being served at 220.127.116.11 to exclusively 18.104.22.168.
This group appears to be getting quite a bit of traction out of their ongoing FakeAv scheme, in addition to the phishing activities. They started out in late 2008 on 22.214.171.124 with tubeviewer.95.exe, and in mid-January, moved tubeviewersetup..exe to several other addresses:
and since May 6th, they have served softwarefortubeview.40019.exe (among other names) at 126.96.36.199, for which we see multiple domain names registered:
You can see our previous posts regarding their FakeAv malware downloaders, with some of the most popular scareware messages: “you have a security problem” and “security system has detected spyware infection!”.
The redirection to this executable most often comes from blog posts offering free current movies, like “Watch Push Movie Online Free”. You get what you pay for. Notice the video frame at the bottom of the post. Avoid this blog and others like it:
“Anika”, the poster of the phony blog above, also set up a number of other blogs, hoping to capture more curious cats looking for “movie online free”:
For example, a few clicks for a “movie online free” Mr. Bean video link redirects the browser through several links and eventually the fake video iframe coughs up the download prompt for the gang’s malware: