For the latest analysis, see the update at the bottom of this post.
I've written about
malware on xvideos.com before.. this is the
52nd most popular site in the world, and is one of the world's most popular porn sites. The last time, the xvideos.com site itself was infecting visitors. This time it's something a bit more subtle, and if affects Android smartphone users.
The
Naked Security blog and
Lookout Security blog analyse a
report on Reddit about an infected web page that appeared to impact Android devices. The analysis by the two blogs comes up with two different C&C servers for the malware -
3na3budet9.ru and
notcompatibleapp.eu, both hosted on
141.0.172.199.
This IP address is significant, because it is one used by Xvideos.com:
05/04/12 10:50:08 dns xvideos.com
Mail for xvideos.com is handled by aspmx3.googlemail.com aspmx2.googlemail.com alt2.aspmx.l.google.com alt1.aspmx.l.google.com aspmx.l.google.com aspmx5.googlemail.com aspmx4.googlemail.com
Canonical name: xvideos.com
Addresses:
141.0.172.197
141.0.172.198
141.0.172.199
141.0.172.200
141.0.172.201
141.0.172.202
141.0.172.204
141.0.172.205
141.0.172.206
141.0.172.207
141.0.172.208
141.0.172.209
141.0.172.210
141.0.172.211
You can probably safely block the whole 141.0.172.0/24 if you want. Do who exactly
is xvideos.com? Well, it claims to be a Hong Kong company called Copypaste Ltd:
Handle..............: CLI-299346
Name................: Copypaste Limited
Street..............: 3/F, 65 Wyndham street, Central district
Postalcode..........: N/A
City................: Hong Kong
Province............: HK
Country.............: HK
E-mail..............: domain@copypaste-limited.com
Phone...............: +852 2530 1793
These IPs are operated by Reality Check Network, and form part of AS46652 which
doesn't have a stellar reputation:
Safe Browsing
Diagnostic page for AS46652 (RCN)
What happened when Google visited sites hosted on this network?
Of the 414 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, xnxx.com/, porn.to/, burningcamel.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2012-05-04, and the last time suspicious content was found was on 2012-04-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 3 site(s) on this network, including, for example, egameads.com/, plugrush.com/, jshell.net/, that appeared to function as intermediaries for the infection of 6 other site(s) including, for example, bestof-youtube.com/, jsfiddle.net/, zff.co/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, jshell.net/, that infected 1 other site(s), including, for example, jsfiddle.net/.
The question is.. are xvideos.com deliberately hosting these malware C&C servers, or have they been compromised in some way? It's difficult to say, but I would certainly recommend that you do your porn surfing elsewhere as long as this carries on.
Update 13/6/12: these domains still resolve to the xvideos.com IP, but the C&C servers appear not to be functioning. As some of the commenters say, it could be that the bad guys simply pointed their DNS to xvideos.com at random, although out of all the IP addresses they could choose it's odd that they chose the one they did. At the moment, xvideos.com appears clean but there are several related sites and netblocks which should be avoided.
In particular, the AS46652 block is extremely dangerous.
Google's diagnostic page says that 181 out of 603 sites in that block serve malware. If you want to block this AS then the IPs appear to be:
69.55.48.0/20
141.0.168.0/24
141.0.172.0/22
38.74.208.0/20
This fake PayPal spam leads to malware at adnroidsoft.net.
