Old PornTube, New Rogue AV

It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.

Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.

Like I said, this is quite old (Feb 2011). I clearly remember redspacetube.com, it used to do redirections to various sites using Dynamic DNS.

Guess what? It’s still working!

seonetwizard.com/in.cgi?16&parameter=%3ftube-videos
seonetwizard.com/in.cgi?4
seonetwizard.com/in.cgi?14
directredirection.com/LI8wbTB8ycreCciKd26F8mpTD70hFJDu.php?sid=3
ygafigyuhigi.mrface.com/land/?n=loli&id=1

The DNS service is provided by changeIP.com (click to enlarge):

This page is quite familiar but looks ancient by now…

The file takes forever and a day to download…:

ygafigyuhigi.mrface.com/land/maindirectory/adobeflashplayerv10.2.152.32.exe

The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).

Next, I checked whether the file was half broken… but clearly it was working just fine:

It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO ;-) )

A quick search confirms this is not an old rogue AV, but rather the new kid on the block:

This is one tenacious fake porn tube… Can someone unplug redspacetube.com for good?

Jerome Segura

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>