Rogue AV/AS prolific

[AplusWebMaster]

FYI...

Google finds a million scareware infections...
- http://krebsonsecurity.com/2011/07/g...o-be-infected/
July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
* http://krebsonsecurity.com/wp-conten...07/googhij.png
___

- http://googleonlinesecurity.blogspot...ople-from.html
Updated July 20, 2011

[AplusWebMaster]

FYI...

Fake video codecs - with scareware
- http://threatpost.com/en_us/blogs/ge...areware-072511
July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
* http://sunbeltblog.blogspot.com/2011...s-up-home.html
"... a sample of some of the files found on the infected machine:
c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls ..."

[AplusWebMaster]

FYI...

Rogue activity spikes ...
- https://blogs.technet.com/b/mmpc/arc...edirected=true
29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Rogue rash ...
- https://blogs.technet.com/b/mmpc/arc...edirected=true
1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Mass injection wave of WordPress sites - Rogue AV ...
- http://community.websense.com/blogs/...ess-sites.aspx
5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
* http://community.websense.com/cfs-fi...5F00_GeoIP.png

> http://community.websense.com/cfs-fi...82.FakeAV3.png
___

- http://community.websense.com/blogs/...protected.aspx
13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
* http://community.websense.com/cfs-fi...ribution1s.png
... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
** http://community.websense.com/cfs-fi...ribution2s.png
... having the latest version of WordPress does not make you immune to this threat...
> http://community.websense.com/cfs-fi...ribution3s.png
... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."

[AplusWebMaster]

FYI...

Rogue AV tweaked every 12 to 24 hours to avoid detection
- http://www.gfi.com/blog/vipre%C2%AE-...threat-tactic/
Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
- http://www.gfi.com/page/117487/gfi-l...-and-consumers
Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
Top 10 Threat Detections for February
- http://www.gfi.com/content/cmsimages...ions-21084.png