Sponsored by..

Tuesday 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire range.. at the very least, block, and which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com ( and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:

I see no harm in blocking the following /24s:

And if you're not afraid to block really quite large address ranges:

1 comment:

Nickname unavailable said...


Het snel ontwikkelen van internationale onderneming biedt een uitstekende kans om extra inkomsten. Op dit moment is er een open vacature van Assistent Manager. Dit is een werk thuis met flexibele werktijden. U hoeft niet aan speciale kennis en vaardigheden om te beginnen. U hoeft niet om geld te investeren of om de contributie te betalen. U zal slechts enkele uren nodig hebben een week en kun je makkelijk combineren ons aanbod met uw algemene activiteiten.

Onze voordelen:
- Vaste beloning
- Provisies en bonussen
- Flexibele werktijden
- Gratis bijles
- Medische verzekering
- Het werk ervaring is niet vereist
- Je hoeft niet te betalen voor iets

Onze eisen:
- Kennis van het Engels taal
- Minimale leeftijd 25 jaar
- Gezelligheid en verantwoordelijkheid
- Verlangen om te werken en te verdienen

Als U geïnteresseerd bent in ons aanbod, alstublieft, stuur bericht naar mijn persoonlijke e-mail - markrsanders@hotmail.com - en we sturen de gedetailleerde informatie over over het bedrijf en de aangeboden functie.

Dank u.

Een mooie dag verder!

Mark Sanders,
Work Part Time, LLC

Dear Sirs!

Fast-growing International Company offers an excellent opportunity for additional income. The following position is open: Assistant Manager. It is a home-based job with a flexible working schedule. You'll need no money and no special skills to start. This job requires only a few hours during the week and you can easily combine it with your main employment.

Our Benefits:
- Fixed Salary
- Commission and Bonuses
- Flexible working hours
- Medical insurance
- Free Training
- No Experience Required
- Growth Opportunities
- No Hidden Fees

Our Requirements:
- Minimum age is 25 years
- Excellent communication skills
- Team player attitude
- Responsibility and great work ethic
- Desire to work and to earn

If you are interested in this offer, please contact me at my personal email – markrsanders@hotmail.com - and I will send you the detailed information about the company and position offered.

Thank you.

Have a nice day!

Best Regards,
Mark Sanders
Work Part Time, LLC