A fellow researcher from the anti-virus community recently blogged about an alluring spam message, which was spreading through Facebook. The spam message, purported to be a surprise package from a friend, unsurprisingly, redirected the user to a website which hosts malware.
Digging around the domain name reveals minimal information on the domain registration date, the registrant’s information, etc. The Top Level Domain “.tk” geographically belongs to Tokelau, a territory of New Zealand. However, a whois on the domain name reveals that the IP address hosting the site belongs to Romania & that the domain is registered to an address in Amsterdam, The Netherlands. In addition, analyzing the malware itself reveals that it originated in Russia.
A Google search for the domain name reveals more URLs, which currently host the malware, and these URLs seem to follow a similar pattern:
http://surprise-[followed by 5 random characters].tk/surprise.exe
While most vendors now detect the malware, the sites serving the malware are still up and running. K7TCL has notified the responsible authorities about the malware sites, but given the fact that the TLD .tk is known for its notoriety, the sites might not get taken down for a while.