Sponsored by..

Friday, 18 November 2011

Xvideos.com compromised with abusedfire.com attack and other malware

UPDATE: as of March 2012, xvideos.com seems to be clean of malware. You can see Google's latest prognosis here.

UPDATE 2:  an xvideos.com IP has been connected with malware C&C servers, see here.

Original article follows:


xvideos.com is one of the most popular sites on the internet. According to Alexa, it is ranked number 51 in the world, making it the second most popular adult site after livejasmin.com (rank 42).

Although porn and adult sites have a reputation for spreading malware, most of the top-rated sites are actually pretty safe. Xvideos.com is different though, as it apparently has been spreading malware for a while.. but this week seems to have seen a sharp uptick in the number of infections coming from the site.

The infections appear to use the Blackhole Exploit kit to download the Zeus trojan on the target PC. In all the cases I have seen, a Flash cookie for a site called www.abusedfire.com is present. This site is hosted at 67.228.2.138 (Softlayer, Dallas) in a small block allegedly allocated to:

network:Class-Name:network
network:ID:NETBLK-SOFTLAYER.67.228.0.0/20
network:Auth-Area:67.228.0.0/20
network:Network-Name:SOFTLAYER-67.228.0.0
network:IP-Network:67.228.2.136/30
network:IP-Network-Block:67.228.2.136-67.228.2.139
network:Organization;I:shanghai Municipality
network:Street-Address:Rm 309,Xin Wu Building,Guang Zhong Road
network:City:shanghai
network:Postal-Code:200072
network:Country-Code:CN
network:Tech-Contact;I: sysadmins@softlayer.com
network:Abuse-Contact;I: abuse@go.com
network:Admin-Contact;I:IPADM258-ARIN
network:Created:20071219
network:Updated:20110509
network:Updated-By: ipadmin@softlayer.com

Blocking 67.228.2.136/30 would probably be a good idea.

The abusedfire.com domain is registered to:

Barbara Rogers
Barbara Rogers
3000 5th St NW
New Brighton
MN
55112
US
Phone:         +1.6516334311 
Email Address: brightonrogers@gmail.com
 
Another domain being used in malware delivery is safecomputermonitors.info, hosted on 95.211.15.161 (Leaseweb, Netherlands).


Google's prognosis of xvideos.com is not good.

Safe Browsing
Diagnostic page for xvideos.com


What is the current listing status for xvideos.com?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 18 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 9325 pages we tested on the site over the past 90 days, 248 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-17, and the last time suspicious content was found on this site was on 2011-10-23.

    Malicious software includes 14 trojan(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

    Malicious software is hosted on 34 domain(s), including warm-freezer.myftp.info/, cheapbagel.xe.cx/, deadapricot.faqserv.com/.

    4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stats1.in/, loading321.com/, main3.in/.

    This site was hosted on 4 network(s) including AS22822 (LLNW), AS46652 (RCN), AS16265 (LEASEWEB).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, xvideos.com appeared to function as an intermediary for the infection of 18 site(s) including pornorama.com/, magicmovies.com/, milfmovs.com/.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

248 out of 9325 pages indicates 2.7% of pages are infected with malware - and as the average visitor views 11 pages on xvideos.com (according to Alexa), then there is roughly a 28% chance that an average visitor would be explosed to malware.

But remember, this isn't just any site.. this site is one of the busiest in the world, pulling in millions of unique visitors per day (estimates for this vary between 4 million to 10 million). Per day. This should be a big deal.. but noise about malware on xvideos.com is about nil.. presumably because people don't like to admit that they have been infected from a porn site.

As a comparison, I looked at the malware rates for the top 10 adult sites (according to Alexa). They are almost completely clean.

Site

Alexa Rank

Infected pages / total pages

Infection rate

Average pages / user

Malware contact probability

livejasmin.com

42

0/138

0.0%

2

0%

xvideos.com

51

248/9325

2.7%

12

28%

xhamster.com

57

0/273

0.0%

9

0%

pornhub.com

74

0/140

0.0% 5

0%

youporn.com

85

3/1206

0.2%

7

2%

xnxx.com

113

1/696

0.1%

11

2%

tube8.com

114

0/89

0.0%

5

0%

redtube.com

121

0/139

0.0%

6

0%

youjizz.com

201

0/776

0.0%

6

0%

adultfriendfinder.com

227

0/10623

0.0%

7

0%


If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched (you can use Secunia OSI to check), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential.

Alternatively, if you enjoy smut.. you may enjoy this Tom Lehrer song from 1965.. [sort of NSFW]:

2 comments:

kbbbb777 said...

If you look at material like this, and run the risk of the infection, it's your own stupid fault. I am fairly sure a good chunk of men's computers have been infected by this garbage. I have zero sympathy.

Conrad Longmore said...

@kbbbb777 - it's not just men who visit these sites. Quantcast reports that 35% of the visitors are female. That statistic is roughly the same for all the top sites.