Page 7 of 9 FirstFirst ... 3456789 LastLast
Results 61 to 70 of 86

Thread: Rogue AV/AS prolific

  1. #61
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AV on 11,000 domains...

    FYI...

    Fake AV on 11,000 domains...
    - http://googleonlinesecurity.blogspot...nti-virus.html
    April 14, 2010 - "... One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action... We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months... Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period. Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly..."

    - http://www.newsfactor.com/story.xhtm...d=13000CYP5QJY
    April 28, 2010 - "... fake antivirus scans that plant malware are on the rise. Over 13 months, more than 11,000 domains were involved in fake scans, Google says. Advertising is being used to trick users into fake scans, and Google promised to blacklist any company linked to malware. Rapid adaptation is also making it more difficult to detect malware..."
    Last edited by AplusWebMaster; 2010-04-29 at 05:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #62
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Scareware gang busted...

    FYI...

    Scareware gang busted...
    - http://www.darkreading.com/shared/pr...leID=225200545
    May 28, 2010 CHICAGO - "An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad... fake advertisements placed on various legitimate companies' websites, deceived Internet users into falsely believing that their computers were infected with "malware" or had other critical errors to induce them to purchase "scareware" software products that had limited or no ability to remedy the purported, but nonexistent, defects... Two defendants, Bjorn Daniel Sundin, and Shaileshkumar P. Jain, with others owned and operated Innovative Marketing, Inc. (IM), a company registered in Belize that purported to sell anti-virus and computer performance/repair software through the internet and that operated a subsidiary called Innovative Marketing Ukraine, located in Kiev. The company appeared to close down last year after the U.S. Federal Trade Commission filed a federal lawsuit in Maryland seeking to end the allegedly fraudulent practices... Individuals who believe they are victims and want to receive information about the criminal prosecution may call a toll-free hotline, 866-364-2621, ext. 1, for periodic updates... Each count of wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine and restitution is mandatory. The Court may also impose a fine totaling twice the loss to any victim or twice the gain to the defendant, whichever is greater..."

    - http://chicago.fbi.gov/dojpressrel/p...0/cg052710.htm
    May 27, 2010

    .
    Last edited by AplusWebMaster; 2010-05-29 at 18:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #63
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Exploits, malware, and scareware courtesy of AS6851, BKCNET, Sagade Ltd.

    FYI...

    Exploits, malware, and scareware courtesy of AS6851, BKCNET, Sagade Ltd.
    - http://ddanchev.blogspot.com/2010/07...-courtesy.html
    July 14, 2010 - "Never trust an AS whose abuse-mailbox is using a Gmail account (piotrek89@gmail.com), and in particular one that you've come across to during several malware campaigns over the past couple of months. It's AS6851, BKCNET "SIA" IZZI* I'm referring to, also known as Sagade Ltd... It's the Koobface gang connection in the face of urodinam .net, which is also hosted within AS6851, currently responding to 91.188.59.10... Currently active exploits/malware/scareware serving domain portfolios within AS6851: Parked at/responding to 85.234.190.15... Parked at/responding to 85.234.190.4... Parked at/responding to 91.188.60.225... Parked at/responding to 91.188.60.3... Parked at/responding to 91.188.59.74... Parked at/responding to 85.234.190.16... Detection rates for the currently active malware samples, including the HOSTS file modifications on infected hosts, for the purpose of redirecting users to cybercrime-friendly search engines, monetized through traffic trading affiliate programs:
    - 78490.jar - Result: 0/42 (0%)
    - ad3.exe - Result: 41/42 (97.62%)
    - a-fast.exe - Result: 36/42 (85.72%)
    - dm.exe - Result: 37/42 (88.1%)
    - iv.exe - Result: 8/42 (19.05%)
    - j2_t895.jar - Result: 0/42 (0%)
    - movie.exe - Result: 40/42 (95.24%)
    - tst.exe - Result: 35/42 (83.34%)
    - wsc .exe - Result: 37/42 (88.1%) - HOSTS file modification ...
    - rc.exe - Result: 41/42 (97.62%) - HOSTS file modification ...
    - installer.0028.exe - Result: 9/42 (21.43%) - HOSTS file modification ...
    - installer.0022.exe - Result: 9/42 (21.43%) - HOSTS file modification ..."
    (More detail and links at the ddanchev blog URL above.)

    * http://cidr-report.org/cgi-bin/as-report?as=AS6851

    - http://google.com/safebrowsing/diagnostic?site=AS:6851
    "Of the 1035 site(s) we tested on this network over the past 90 days, 33 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time Google tested a site on this network was on 2010-07-15, and the last time suspicious content was found was on 2010-07-15.
    Over the past 90 days, we found 50 site(s) on this network... that appeared to function as intermediaries for the infection of 2661 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 550 site(s)... that infected 16759 other site(s)..."

    Last edited by AplusWebMaster; 2010-07-15 at 16:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #64
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Fake Firefox update leads to scareware...

    FYI...

    Fake Firefox update leads to scareware...
    - http://www.theregister.co.uk/2010/07...careware_ruse/
    30 July 2010 - "... Prospective marks are normally lured to these sites through search engine manipulation, which ensures rogue sites appear prominently in lists of search results for newsworthy terms... write-up of the scareware slinging ruse in a blog post here*..."

    * http://www.f-secure.com/weblog/archives/00001997.html
    "... rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV. Now, it comes as the Firefox "Just Updated" page... the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads... When the user runs the file... Bad old rogue AV..."

    (Screenshots available at the F-secure URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #65
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue AV - social engineering...

    FYI...

    Rogue AV - social engineering...
    - http://www.symantec.com/connect/blog...al-engineering
    Sep 17, 2010 - "The success and penetration of fraudulent security software depends on its ability to scare the user into buying a fake security product. Over the years we have seen that many social engineering techniques have evolved in attempts to achieve this... This technique is employed by a recently found, in-the-wild sample of fake security software that misleads users by claiming to be a legitimate “Microsoft Security Essential.” The real social engineering is not found in the name, but in how it works (step by step) to trick users into buying this unknown security product... rather than showing many fake detection results, as is usually the case with rogue antivirus software, it reports just one threat. It will always report the same file (c:\windows\system32\cmd.exe) as “Unknown Win32/Trojan” and will request that the user clicks on “Apply actions.” However, both of the “Apply actions” and “Clean computer” buttons will redirect users to scan the identified threat with online scanners. Then, it shows a fake online scanner window that includes almost all reputable antivirus products, including Symantec, along with five unknown products... we may see the same or some variation of this rogue software being adopted across a few of the other rogueware families..."

    - http://blog.webroot.com/2010/09/16/n...rogues-in-one/
    September 16, 2010

    (Screenshots and more detail at both URLs above.)

    Last edited by AplusWebMaster; 2010-09-20 at 18:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #66
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down BlackHat SEO campaign used to spread rogue

    FYI...

    BlackHat SEO campaign used to spread rogue...
    - http://blog.urlvoid.com/blackhat-seo...-smart-engine/
    October 9, 2010 - "A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer. When an user clicks on an infected url, there is a redirection... "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #67
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down More rogue security scams ...

    FYI...

    More rogue security scams...
    - http://www.theinquirer.net/inquirer/...efraggers-scam
    Dec 15 2010 - "... usually rogue security software does it best to pretend to be anti-spyware or anti-virus products. In the last two months, however, it has become clear that the rogue malware writers are turning to fake optimisation software instead. Earlier in December we had PCoptomizer, PCprotection Center and Privacy Corrector which were intended to look like some kind of generic security product. Lately it has been "defragger" clones that claim to be disk utilities: UltraDefragger, ScanDisk and WinHDD. These pretended to find "HDD read/write errors". Disk defragmentation once was considered a good way of speeding up a computer, but it has become less of a problem as PCs got faster, hard drives much larger and newer versions of Windows had better file handling capabilities. But some users have become aware of the defrag utility and think they need it often which is why the rogues impersonate defrag utilities. The cyber criminals who are sending out the software are changing the name of the software every few days to evade antivirus scanners. The report said that Internet users should be suspicious of any application that is advertised by spam, pops up dire warnings that your machine is affected by numerous problems, tells you that you need to update your browser, or demands that you make a purchase before it will clean or fix problems in your machine."

    Fake disk defraggers
    - http://news.cnet.com/8301-27080_3-20025692-245.html
    December 14, 2010 - "... FakeAV-Defrag rogues... had names like HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus*..."
    * http://forums.spybot.info/showpost.p...75&postcount=9

    Last edited by AplusWebMaster; 2010-12-16 at 06:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #68
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware in the cloud ...

    FYI...

    Criminals host trojans on Cloud Storage Service Rapidshare
    - http://www.eweek.com/c/a/Security/Cr...dshare-339725/
    2010-12-30 - "Spammers are using cloud-based storage services to store malware, allowing them to circumvent e-mail spam filters, according to security experts at Kaspersky Lab and MX Lab. Kaspersky Lab detected the click-fraud Trojan, a variant of the Trojan-Dropper.Wind32.Drooptroop family, which has been in circulation since the beginning of December, said Vicente Diaz, a Kaspersky Lab expert. There are over 7,000 variants of this particular family, according to Kaspersky. As with other types of malware that took advantage of the holiday season, the executable file for this Trojan was named gift.exe, Diaz said. The security firm detected more than 1,000 infections using this technique to distribute this variant, according to Diaz. The Trojan is stored on Rapidshare, a cloud-based file-sharing and storage service. The spam messages that users receive in their Inbox have no text, just a single link pointing to a valid Rapidshare URL. These messages get past spam filters because there are no malicious files attached, the domain name is not considered a “bad” one, and executables hosted on Rapidshare aren’t automatically classified as a threat, said Diaz. There was also a recent fake antivirus spam campaign that included a Rapidshare link pointing to surprise.exe, according to security firm MX Lab. The executable file downloads and installs the fake AV Security Shield on the user’s computer, which runs after the computer is rebooted. Once downloaded, there’s no guarantee that authentic antivirus products will detect these Trojans. According to MX Lab, only 16 of the 43 major antivirus products detected surprise.exe as a Trojan or as fake AV..."

    - http://www.securelist.com/en/blog/11...e_in_the_cloud

    - http://blog.mxlab.eu/2010/12/14/malw...-surprise-exe/

    The year of the cloud ...
    - http://www.infoworld.com/d/cloud-com...-the-cloud-888
    December 30, 2010

    Last edited by AplusWebMaster; 2010-12-31 at 13:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #69
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down More Rogue software ...

    FYI...

    New Rogue Software: Easy Scan
    - http://blog.urlvoid.com/?p=648
    January 1, 2011 - "Easy Scan is another rogue security software that is installed by TDSS variants* and that aims to scan the hard drive to find errors, instead it shows false errors..."
    * http://blog.urlvoid.com/new-tdss-var...y-of-software/
    "... installed plenty of software and backdoors in the infected system. Other than installing rogue security software, this time named Antivirus Scan, it has installed also other software like FLVTube Player, Sweetim Pack, Vista Cookies Collector, OfferBox, DataMngr, SweetIE, SweetIM, Fun4IM..."

    New Rogue Software: HDD Doctor
    - http://blog.urlvoid.com/?p=630
    December 26, 2010 - "HDD Doctor is another rogue security software that aims to scan the hard drive to find errors, instead it shows false errors..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #70
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue variant number stable, new “utility” look appears

    FYI...

    Rogue variant number stable, new “utility” look appears
    - http://sunbeltblog.blogspot.com/2011...-variants.html
    January 05, 2011 - "GFI Labs documented 167 rogue security products in 2010 – exactly the same number as 2009... the number of rogue security products appearing annually has been stable for the last three years. After increasing from 26 in 2005 to 162 in 2008, we’ve seen about the same number of variants each year since: 167 in both 2009 and 2010... Late in 2010 Researchers at GFI Labs noticed that at least one group of rogue writers had started a new deceptive tactic: creating graphic interfaces that impersonated utility software - such as hard drive defragmentation applications - instead of anti-virus products...
    FakeAV-Defrag family history:
    11/15/2010 Ultra Defragger
    11/16/2010 ScanDisk-Defragger
    11/30/2010 WinHDD
    12/9/2010 HDDPlus
    12/12/2010 HDDRescue
    12/12/2010 HDDRepair
    12/13/2010 HDDDiagnostic ...
    Rogue distributors usually create their malicious software and server infrastructure then clone their malcode often in order to escape detection by legitimate anti-virus products. They count on making money in the days (or hours) that the new rogue clones go undetected..."
    (Charts available at the Sunbelt blog URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •