The domain name
virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at
virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.
virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a
Cobalt IT SRL block suballocated to
SC Coral IT Office SRL /
xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire
94.60.0.0/14 range.. at the very least, block
94.63.149.0/24,
94.63.244.0/24 and
94.60.123.0/24 which are especially toxic.
After hitting virtualmapping.org, visitors are then redirected to one of the following sites on
95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called
inferno.name (Sogreev Anton, Serbia).
95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.
Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com
Basically, anything in the
nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.
The payload is a nasty trojan according to various analysis tools (
ThreatExpert,
Comodo,
Anubis). Detection rates are
very low. The analysis tools might help you to clean up your PC if you have somehow become infected.
Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains,
assistancebeside.com (
78.159.100.32) and
imagehut4.cn which was actually deleted last year, but was registered to the scumbags at
Real Host Ltd.
There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org
I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24
And if you're not afraid to block really quite large address ranges:
94.60.0.0/14