Saturday, November 21, 2009

"New Moon" Movie Now Playing on Torrent Sites

Capitalizing on the Team Edward versus Team Jacob fever, a couple of New Moon.avi movie files are now appearing on well-known torrent sites. Of course its not the real thing, opening the actual .avi file redirects you to cleverly crafted website, www.microsoftmedicenter.com. Yes kids, look closely before you click:


Its mediacenter, minus the letter "a". Good job guys, but its an old trick, only works for kids and those who do not practice safe Internet use in the first place.

I found out about this from a friend who IM'ed me that I need to fix his laptop again because he caught a nasty virus or something for the Nth time this month. He told me the last thing he did was simply open an .avi movie file that redirected him to Microsoft's website and that's when thing started to act funky.

The problem is that this guy never listens. He downloads a lot. He refuses to pay for music and movies. Downloading illegal copies of media is hurting the industry. And nothing is free in this world, download a free new movie, get a free evil payload (virus, adwares, scarewares, etc.)

So I inspected his laptop and immediately browsed to the New Moon Movie folder. Everything looks legit, you can even do a quick scan of the .AVI file using Microsoft's Security Essentials and no alerts came out.

So off I go and I opened the movie and as expected my browser popped open and gets directed to www.microsoftmedicenter.com.

However, what I got was a Bandwidth Exceeded return error. Hopefully someone DDoS'ed his website for good, or it got taken down already, or this guy is indeed maxing out the allotted bandwidth for his website because his clever trick is working.

Bandwidth Limit Exceeded The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.
Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_python/3.3.1 Python/2.4.3 mod_bwlimited/1.4 PHP/5.2.6 Server at microsoftmedicenter.com Port 80

So I made my part as good Netizen of this world and decided to explore and learn more about this poorly-spelled website. First stop is a back trace to see where this guy is hosted:

Wow, Amsterdam, land of the free. If it is indeed hosted in that country. Let's try a whois test:

http://whois.domaintools.com/microsoftmedicenter.com

Here's what we know about microsoftmedicenter.com:

* "James Gonzaga" owns about 13 other domains View these domains >
* is a contact on the whois record of 3 domains
* 1 registrar has maintained records for this domain since 2009-05-14
* This domain has changed name servers 3 times over 0 year.
* Hosted on 4 IP addresses over 0 years.
* View 49 ownership records archived since 2009-05-16 .
* Wiki article on Microsoftmedicenter.com
* 193 other web sites are hosted on this server.

DomainTools for Windows®

Now you can access domain ownership records anytime, anywhere... right from your own desktop! Find out more >
Registrant:
James Gonzaga
Roxas Boulevard
Manila, NCR 2000
Philippines

Domain Name: MICROSOFTMEDICENTER.COM
Created on: 14-May-09
Expires on: 14-May-10
Last Updated on: 27-Oct-09

Administrative Contact:
Gonzaga, James
Roxas Boulevard
Manila, NCR 2000
Philippines
+63.9194341212 Fax --

Technical Contact:
Gonzaga, James
Roxas Boulevard
Manila, NCR 2000
Philippines
+63.9194341212 Fax --

Domain servers in listed order:
NS1.WATCHUNDERGRADS.COM
NS2.WATCHUNDERGRADS.COM


And the plot thickens! Domain name was registered to a fellow-Filipino residing in Manila? Who knows. Unless Domain Name registration requires a high-level of authentication and presentation of credentials, I doubt if there is even a James Gonzaga along Roxas Boulevard in Manila. I am going to try that listed Philippine number in some other time, who knows, maybe there is a real James Gonzaga prowling the streets of Manila.

If someone picks up, I will ask "Is this James? Can I pay in $$$ and distribute some of my stuff on your website and be part of my worldwide BOT NET operation?"

Evil grin. That's how easy bad guys do transaction with smart kids from developing countries. All they need to do is mention the word US Dollars.

Next stop is let's NMAP this baby, I don't care if he backtracks on my trace, I make sure I cover my tracks:

Hmm, a couple of filtered interested ports. Maybe next time.

Stay tuned.

A playground for network security enthusiasts, innovators and early adoptors


Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.