Page 1 of 4 1234 LastLast
Results 1 to 10 of 35

Thread: Rogue AV/AS prolific

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Google finds a million scareware infections...

    FYI...

    Google finds a million scareware infections...
    - http://krebsonsecurity.com/2011/07/g...o-be-infected/
    July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
    * http://krebsonsecurity.com/wp-conten...07/googhij.png
    ___

    - http://googleonlinesecurity.blogspot...ople-from.html
    Updated July 20, 2011

    Last edited by AplusWebMaster; 2011-07-21 at 12:07.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Fake video codecs... with scareware

    FYI...

    Fake video codecs - with scareware
    - http://threatpost.com/en_us/blogs/ge...areware-072511
    July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
    * http://sunbeltblog.blogspot.com/2011...s-up-home.html
    "... a sample of some of the files found on the infected machine:
    c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
    c:\Documents and Settings\All Users\Application Data\ip\e.exe
    c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
    c:\Documents and Settings\All Users\Application Data\ip\instr.ini
    c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
    c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
    c:\WINDOWS\system32\c_726535.nls ..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Rogue activity spikes ...

    FYI...

    Rogue activity spikes ...
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
    (Screenshots available at the URL above.)

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Rogue rash ...

    FYI...

    Rogue rash ...
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
    (Screenshots available at the URL above.)

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Mass injection wave of WordPress sites - Rogue AV

    FYI...

    Mass injection wave of WordPress sites - Rogue AV ...
    - http://community.websense.com/blogs/...ess-sites.aspx
    5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
    * http://community.websense.com/cfs-fi...5F00_GeoIP.png

    > http://community.websense.com/cfs-fi...82.FakeAV3.png
    ___

    - http://community.websense.com/blogs/...protected.aspx
    13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
    * http://community.websense.com/cfs-fi...ribution1s.png
    ... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
    ** http://community.websense.com/cfs-fi...ribution2s.png
    ... having the latest version of WordPress does not make you immune to this threat...
    > http://community.websense.com/cfs-fi...ribution3s.png
    ... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
    • Weak passwords / stolen credentials
    • Vulnerable third-party modules used in WordPress
    • Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."

    Last edited by AplusWebMaster; 2012-03-14 at 16:05.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Rogue AV tweaked every 12 to 24 hours to avoid detection ...

    FYI...

    Rogue AV tweaked every 12 to 24 hours to avoid detection
    - http://www.gfi.com/blog/vipre%C2%AE-...threat-tactic/
    Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
    - http://www.gfi.com/page/117487/gfi-l...-and-consumers
    Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
    Top 10 Threat Detections for February
    - http://www.gfi.com/content/cmsimages...ions-21084.png

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Flash-based Fake AV - drive-by exploits and SPAM

    FYI...

    Flash-based Fake AV - drive-by exploits and SPAM
    - http://www.symantec.com/connect/blog...risk-minimizer
    23 Mar 2012 - "... relatively new fake antivirus application called Windows Risk Minimizer. The -fake- antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then -redirected- users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours. When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected... The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names). Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected... To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up-to-date with all security patches..."
    (Screenshots available at the URL above.)

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Fake AV scareware attempts to extort Torrent users

    FYI...

    New Fake AV scareware attempts to extort Torrent users
    - http://www.theregister.co.uk/2012/04...nware_hyrbrid/
    13 April 2012 - "Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers* into paying for worthless software. SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware... SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages... the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool. Bruce Harrison, VP Research at Malwarebytes, said: "SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
    * http://regmedia.co.uk/2012/04/12/tor..._scareware.jpg

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down Ransomware police trojan - now targets USA and Canada ...

    FYI...

    Ransomware police trojan - now targets USA and Canada ...
    - http://blog.trendmicro.com/police-tr...sa-and-canada/
    May 9, 2012 - "The Police Trojan* has been targeting European users for about a year... the latest incarnations of this obnoxious malware have started targeting the United States and Canada. In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that -spoofs- the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available...
    > http://blog.trendmicro.com/wp-conten...screenshot.jpg
    ... the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks..."
    * http://blog.trendmicro.com/trojan-on...police-trojan/
    "... plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,983

    Thumbs down More extortion thru Ransomware

    FYI...

    More extortion thru Ransomware
    - http://www.ic3.gov/media/2012/120530.aspx
    May 30, 2012 - "... new Citadel malware platform used to deliver ransomware, named Reveton*. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning:
    > http://www.ic3.gov/images/120530.png
    ... This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do -not- follow payment instructions..."

    Reveton removal instructions:
    * https://www.f-secure.com/v-descs/tro..._reveton.shtml

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •