Friday, 4 May 2012

Xvideos.com IP hosting malware C&C servers

For the latest analysis, see the update at the bottom of this post.

I've written about malware on xvideos.com before.. this is the 52nd most popular site in the world, and is one of the world's most popular porn sites. The last time, the xvideos.com site itself was infecting visitors. This time it's something a bit more subtle, and if affects Android smartphone users.

The Naked Security blog and Lookout Security blog analyse a report on Reddit about an infected web page that appeared to impact Android devices. The analysis by the two blogs comes up with two different C&C servers for the malware - 3na3budet9.ru and notcompatibleapp.eu, both hosted on 141.0.172.199.

This IP address is significant, because it is one used by Xvideos.com:

05/04/12 10:50:08 dns xvideos.com
Mail for xvideos.com is handled by aspmx3.googlemail.com aspmx2.googlemail.com alt2.aspmx.l.google.com alt1.aspmx.l.google.com aspmx.l.google.com aspmx5.googlemail.com aspmx4.googlemail.com
Canonical name: xvideos.com
Addresses:
  141.0.172.197
  141.0.172.198
  141.0.172.199
  141.0.172.200
  141.0.172.201
  141.0.172.202
  141.0.172.204
  141.0.172.205
  141.0.172.206
  141.0.172.207
  141.0.172.208
  141.0.172.209
  141.0.172.210
  141.0.172.211

You can probably safely block the whole 141.0.172.0/24 if you want. Do who exactly is xvideos.com? Well, it claims to be a Hong Kong company called Copypaste Ltd:

Handle..............: CLI-299346
    Name................: Copypaste Limited
    Street..............: 3/F, 65 Wyndham street, Central district
    Postalcode..........: N/A
    City................: Hong Kong
    Province............: HK
    Country.............: HK
    E-mail..............: domain@copypaste-limited.com
    Phone...............: +852 2530 1793
 
These IPs are operated by Reality Check Network, and form part of AS46652 which doesn't have a stellar reputation:

Safe Browsing

Diagnostic page for AS46652 (RCN)

What happened when Google visited sites hosted on this network?
Of the 414 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, xnxx.com/, porn.to/, burningcamel.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2012-05-04, and the last time suspicious content was found was on 2012-04-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 3 site(s) on this network, including, for example, egameads.com/, plugrush.com/, jshell.net/, that appeared to function as intermediaries for the infection of 6 other site(s) including, for example, bestof-youtube.com/, jsfiddle.net/, zff.co/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, jshell.net/, that infected 1 other site(s), including, for example, jsfiddle.net/.
The question is.. are xvideos.com deliberately hosting these malware C&C servers, or have they been compromised in some way? It's difficult to say, but I would certainly recommend that you do your porn surfing elsewhere as long as this carries on.

Update 13/6/12: these domains still resolve to the xvideos.com IP, but the C&C servers appear not to be functioning. As some of the commenters say, it could be that the bad guys simply pointed their DNS to xvideos.com at random, although out of all the IP addresses they could choose it's odd that they chose the one they did. At the moment, xvideos.com appears clean but there are several related sites and netblocks which should be avoided.

In particular, the AS46652 block is extremely dangerous. Google's diagnostic page says that 181 out of 603 sites in that block serve malware. If you want to block this AS then the IPs appear to be:
69.55.48.0/20
141.0.168.0/24   
141.0.172.0/22   
38.74.208.0/20

5 comments:

Kafeine said...

Are you really sure ?
notcompatibleapp.eu was a C&C...but on IP : 184.82.82.68
They changed DNS records to Xvideos on the 03/05/2012.

You won't see the :
/client/auth
and
/adminx/auth
On Xvideos :)

But they are victim (?) from time to time of Malvertising.

John Doe said...

Well, big mistake:
http://www.google.com/safebrowsing/diagnostic?site=xvideos.com/
Nothing suspicious...
These 2 websites have only changed their DNS to point to xvideos. No big deal. Why did you not verify your information before posting ?

Conrad Longmore said...

@John Doe, perhaps you should check http://www.google.com/safebrowsing/diagnostic?site=xnxx.com/ which is part of the same network. Malware is pretty common on xvideos.com and affiliates. There is an indication that they might have suffered some sort of compromise at the very least.

Kafeine said...

Conrad I love what you are doing here but in that specific case...you really made a mistake.
The C&C of this DriveByDownload for Android was on 184.82.82.68 with two forms to open what look like Panel on /client/auth & /adminx/auth.
They changed DNS to Xvideos..they could have point to Google IP as well.

@John Doe, mistakes happen. They surely verified but maybe few hours late. It's moving so fast...I think : now it's old :) (did you noticed it was 1 month old ? ;) )

To add some kind of value to my poor comment :

BH EK that was spreading the Malware at that time are still hiding behind Reverses on :
184.82.82.66
184.82.82.67
184.82.82.68
184.82.82.69
184.82.82.70

But they have now added more IP since 26/05/2012 afternoon:
64.120.141.162
64.120.141.163
64.120.141.164
64.120.141.165
64.120.141.166

@Conrad, thx for this Blog !! :)

Conrad Longmore said...

Amended the post to reflect that the C&C servers might not have been there, however AS46652 is still pretty bad!