[Michael]

Since following this Mac Trojan I have come across several valuable links.

In particular I am investigating 213.182.197

Check out what's on there:

base record name ip reverse route as

bests.at a 213.182.197.2 (none) ?

fcoder.at a 213.182.197.2 (none)

kirgo.at a 213.182.197.2 (none)

8070372.com a 213.182.197.4 (none)

zeus-logs.biz a 213.182.197.4 (none)

- 213.182.197.7 (none)

bestxvids.info a 213.182.197.8 mxs.newhostgroup.ru

freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.2todays.com a 213.182.197.8 mxs.newhostgroup.ru

mail.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

mail.newhostgroup.ru a 213.182.197.8 mxs.newhostgroup.ru

mail.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru

mail.worldtube.su a 213.182.197.8 mxs.newhostgroup.ru

ns1.2todays.com a 213.182.197.8 mxs.newhostgroup.ru

ns1.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

ns1.good777.ru a 213.182.197.8 mxs.newhostgroup.ru

ns1.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

ns1.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

ns1.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru

ns1.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru

ns2.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

ns2.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru

ns2.siteload.cn a 213.182.197.8 mxs.newhostgroup.ru

ns2.yesey.net a 213.182.197.8 mxs.newhostgroup.ru

ns2.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru

sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru

uniquexsoftware.com a 213.182.197.8 mxs.newhostgroup.ru

vipwarezz.com a 213.182.197.8 mxs.newhostgroup.ru

worldtube.su a 213.182.197.8 mxs.newhostgroup.ru

www.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru

www.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru

www.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru

www.seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru

mxs.newhostgroup.ru ptr 213.182.197.8

ns2.bestxvids.info a 213.182.197.10 (none)

ns2.freewebxxx.info a 213.182.197.10 (none)

ns2.good777.ru a 213.182.197.10 (none)

ns2.mac-videos.com a 213.182.197.10 (none)

ns2.newhostgroup.ru a 213.182.197.10 (none)

ns2.viagrabe.com a 213.182.197.10 (none)

ns2.worldtube.su a 213.182.197.10 (none)

barmatuxa.info a 213.182.197.12 (none)

zapalinfo.info a 213.182.197.12 (none)

ns1.bestxvids.info a 213.182.197.13 (none)

ns1.hotfreexxx.info a 213.182.197.13 (none)

ns1.siteload.cn a 213.182.197.13 (none)

ns1.tube84.com a 213.182.197.13 (none)

wkontkte.ru a 213.182.197.13 (none)

hostnsload.cn a 213.182.197.14 (none)

mail.hostnsload.cn a 213.182.197.14 (none)

mail.megavipsite.cn a 213.182.197.14 (none)

mail.siteload.cn a 213.182.197.14 (none)

megavipsite.cn a 213.182.197.14 (none)

siteload.cn a 213.182.197.14 (none)

adultelitiest.ru a 213.182.197.20 (none)

dns-lv9720.com a 213.182.197.20 (none)

mail.dangerousteens.com a 213.182.197.20 (none)

mail.dns-lv9720.com a 213.182.197.20 (none)

mail.openstat.ws a 213.182.197.20 (none)

mail.toponline-video.net a 213.182.197.20 (none)

ns1.dns-lv9720.com a 213.182.197.20 (none)

ns2.dns-lv9720.com a 213.182.197.20 (none)

openstat.ws a 213.182.197.20 (none)

toponline-video.net a 213.182.197.20 (none)

- 213.182.197.21 (none)

ns1.freednshostserver.com a 213.182.197.23 (none)

ns2.bio-a.ru a 213.182.197.23 (none)

ns2.dub-dubom.ru a 213.182.197.23 (none)

ns2.icq-stanet-platnoy.ru a 213.182.197.23 (none)

ns2.iqdoza.ru a 213.182.197.23 (none)

ns2.lifezilla.ru a 213.182.197.23 (none)

ns2.litegreatestdirect.cn a 213.182.197.23 (none)

ns2.mixmediadirect.cn a 213.182.197.23 (none)

ns3.freednshostway.com a 213.182.197.23 (none)

- 213.182.197.28 (none)

traffanalizer.cn a 213.182.197.40 (none)

- 213.182.197.227 (none)

*.1st.abdulabah.cn a 213.182.197.229 (none)

1st.abdulabah.cn a 213.182.197.229 (none)

807037.com a 213.182.197.229 (none)

bjbotnet.cn a 213.182.197.229 (none)

domenzmonz.cn a 213.182.197.229 (none)

firex-labz.com a 213.182.197.229 (none)

groos.ru a 213.182.197.229 (none)

kazantipwords.ru a 213.182.197.229 (none)

lafi.babjr.cn a 213.182.197.229 (none)

mssys.net a 213.182.197.229 (none)

muhamed.cn a 213.182.197.229 (none)

odnoklassniki.groos.ru a 213.182.197.229 (none)

www.1st.abdulabah.cn a 213.182.197.229 (none)

www.abdulabah.cn a 213.182.197.229 (none)

www.acidbot.cn a 213.182.197.229 (none)

www.lafi.babjr.cn a 213.182.197.229 (none)

yes04ka.cn a 213.182.197.229 (none)

- 213.182.197.230 (none)

Checking out a very obvious one, mac-videos.com. Mac OS X users visiting this site can get infected with Jahlav Trojan.

The sample flies totally under the radar, as shows this VirusTotal screenshot:



When you think it's over, here is more from 213.182.197.13:



You can see the fake PornTube sites riddled with malware and, worth pointing out, a social networking site called Vkontakte. It is the equivalent of Facebook in Russia, Ukraine and Belarus.

It is not the real site though, a little typo, similar designs....



This, is the legitimate site:



The trail never seems to end! Fake codecs, illegal adult content, phishing sites... Stay clear off those sites!

Jerome Segura