Page 8 of 9 FirstFirst ... 456789 LastLast
Results 71 to 80 of 86

Thread: Rogue AV/AS prolific

  1. #71
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Rogue AVG AV on the Web...

    FYI...

    Rogue AVG AV on the Web...
    - http://www.f-secure.com/weblog/archives/00002090.html
    January 31, 2011 - "... A rogue* was recently discovered to be using AVG's logo and reputable name, hoping to mislead and trick people into purchasing the fake AV... Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011... However, users who aren't familiar with the product might not notice this difference and think that they are getting the real thing. One bit of advice — watch out for the source. Most antivirus companies provide free/trial versions of their products directly on their websites... skip the untrustworthy channel and get it directly from the AV vendors." **
    (Screenshots of the rogue available at the URL above, and the blogs.technet URL below.)

    * http://www.f-secure.com/v-descs/rogu...ispyware.shtml

    ** [In this case, AVG Free legit site is: http://free.avg.com/ ]

    > http://blogs.technet.com/b/mmpc/arch...f00_brows.aspx
    31 Jan 2011 6:05 PM

    Last edited by AplusWebMaster; 2011-02-02 at 03:30.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  2. #72
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Fake Avira rogue ...

    FYI...

    Fake Avira rogue...
    - http://techblog.avira.com/2011/02/21...ertificate/en/
    February 21, 2011 - "... Viewing the properties of the digital signature, Microsoft Windows shows a note “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”. Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate. Stuxnet gained a lot of attention by the media because it contained a valid digital signature from “Realtek Semiconductor” which was obviously stolen by the malware authors... The malware itself is nothing new. It’s a member of the well known Zbot/ZeuS malware family which is spammed via Email. The Trojan doesn’t show new behavior of the Zbot/ZeuS authors. Upon execution it is creating a copy of itself and is deleting the original executed file; also it adds a runkey to the Windows registry in order to get started after a reboot. After this the Trojan tries to connect to the C&C Server “**ciq.net” to receive more information about targets to spy upon..."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  3. #73
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Rouge AV different on each browser...

    FYI...

    Rogue AV different on each browser...
    - http://research.zscaler.com/2011/03/...internals.html
    March 2, 2011 - "... new type of Fake AV page that looks different on each browser . And it also uses internal elements of those browsers... The malicious executable InstallInternetDefender_722.exe is detected* by only 9.5% of AV!... The version displayed in Firefox... looks like the security warning Firefox shows for malicious and phishing sites... the Chrome version looks like a legitimate browser warning... For Safari, only the first popup box is tailored to the browser. The main page is the same as Internet Explorer..."
    (Screenshots and more detail available at the URL above.)
    * http://www.virustotal.com/file-scan/...1ce-1299087679
    File name: InstallInternetDefender_722.exe
    Submission date: 2011-03-02 17:41:19 (UTC)
    Result: 4/42 (9.5%)
    There is a more up-to-date report...
    - http://www.virustotal.com/file-scan/...1ce-1299190654
    File name: install_internetdefender.exe
    Submission date: 2011-03-03 22:17:34 (UTC)
    Result: 12/43 (27.9%)

    Last edited by AplusWebMaster; 2011-03-04 at 16:35.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  4. #74
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down ChronoPay scareware ...

    FYI...

    ChronoPay scareware...
    - http://krebsonsecurity.com/2011/03/c...eware-diaries/
    March 3, 2011 - "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments... ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning... ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft .com... As security firm F-Secure noted* at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines..."
    * http://www.f-secure.com/weblog/archives/00001931.html

    - http://www.f-secure.com/weblog/archives/00002112.html
    March 4, 2011

    Last edited by AplusWebMaster; 2011-03-04 at 23:55.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  5. #75
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Exclamation Rogue AV links from tsunami in Japan...

    FYI...

    Rogue AV links from tsunami in Japan...
    - http://isc.sans.edu/diary.html?storyid=10543
    Last Updated: 2011-03-14 08:21:18 UTC - "... people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware. We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about what’s happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world – whatever happens, their scripts will make sure that they “contain” the latest data/information about it... With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines – even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is... the current count... 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so it’s clear that the bad guys are very active... the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as we’ve all witnessed, successfully poison search engines."

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  6. #76
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Rogue AV - Easter cards...

    FYI...

    Rogue AV - Easter cards...
    - http://sunbeltblog.blogspot.com/2011...-rogue-av.html
    April 19, 2011 - "Looks like we have more shenanigans involving rogue AV products and Easter... Elsewhere there are malicious emails* doing the rounds - the Easter scams are in full swing..."
    * http://www.net-security.org/malware_news.php?id=1698

    (Screenshots available at both URLs above.)

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  7. #77
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Google doodle leads to scareware ...

    FYI...

    Google doodle leads to scareware...
    - http://www.h-online.com/security/new...s-1242208.html
    12 May 2011 - "... it is rare for a click on a prominently positioned Google doodle to take you to links for fake virus scans... If a user clicks on the doodle to find out what it means, Google launches a search for the term the doodle refers to... On Wednesday, Google celebrated the 117th birthday of dance icon Martha Graham. Clicking on the doodle displayed a list of preview images of the modern art dancer, some of which were links to a scareware site... At present, a search for Martha Graham on Google still displays those images. Once on the scareware site the user is then offered the SecurityScanner.exe file for download in order to solve the alleged virus problem; the file contains malware. Only 4 of the 42 scanners used by Virustotal flagged the file as being a threat at 11am on Wednesday. A test conducted by The H's associates at heise Security revealed that the scareware managed to infect a Windows 7 system with Microsoft Security Essentials 2 (MSE2) enabled. The malware disabled MSE2 and added itself to the security centre as "Win 7 Home Security 2011" – and labelled itself as disabled. Users are then asked to pay €60 to activate it.
    The infected system could no longer be used in any meaningful way. Warnings constantly popped up whenever any web page was visited regardless of which browser was used. The program does not appear on the list of installed software and therefore cannot be uninstalled easily. In similar cases, scareware could, with a lot of effort, be manually removed, but this software changed so many settings in the system that reinstalling Windows was the safest solution."
    ___

    - http://blog.stopbadware.org/2011/04/...edding-present
    2011.04.29 - "... we have no reason to believe the site’s legitimate owners intended for this URL to exist. Rather, an attacker appears to have exploited a weakness in the site’s security model and inserted a -redirect- for the URL... the payload from this attack can be extremely annoying and costly — it makes the PC all but unusable — this sort of attack is certainly not of the most sophisticated or technically dangerous variety. A user who does -not- download or run the Fake AV executable does not appear to suffer compromise..."
    > http://www.virustotal.com/file-scan/...84b-1304097780
    File name: SecurityScanner.exe
    Submission date: 2011-04-29 17:23:00 (UTC)
    Result: 4/42 (9.5%)
    There is a more up-to-date report ...
    - http://www.virustotal.com/file-scan/...84b-1305388325
    File name: 7978e13ab11b027fb22b6cb4ec16dd3f
    Submission date: 2011-05-14 15:52:05 (UTC)
    Result: 32/43 (74.4%)

    Last edited by AplusWebMaster; 2011-05-22 at 21:14.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  8. #78
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Scareware fakes HD failures ...

    FYI...

    Scareware fakes HD failures...
    - http://www.symantec.com/connect/fr/b...efragger-sales
    16 May 2011 - "... Hard disk failures are a fact of life... Trojan.FakeAV writers are aware of this, and the end of last year saw a move by some into the creation of fake hard disk scanners and defragmentation tools... Trojan.Fakefrag. What sets this apart from standard fake disk cleanup utilities is that the Trojan makes changes on the computer and displays messages that make it appear as though the hard disk is failing. Then it drops a member of the UltraDefragger family called Windows Recovery, which offers to repair these disk errors for a mere $79.50!...
    • It fakes hardware failure messages...
    • It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
    • It stops you from changing your background image.
    • It disables the Task Manager.
    • It sets both the “HideIcons” and “Superhidden” registry entries to give the impression that more icons have been deleted.
    ... the failure messages look just like something Windows would display..."
    (Screenshots, video, and more detail available at the Symantec URL above.)
    ___

    New scareware - charted
    - http://blogs.mcafee.com/wp-content/u...G_110513_2.jpg
    May 13, 2011

    Last edited by AplusWebMaster; 2011-05-18 at 16:42.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  9. #79
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Fake AV bingo - 165 domains of bad

    FYI...

    Fake AV bingo - 165 domains of bad
    - http://isc.sans.org/diary.html?storyid=10894
    Last Updated: 2011-05-19 00:06:54 UTC ...(Version: 2) - "Can you guess which domains the crooks behind the Fake Anti-Virus Scam are going to use next ? Well, neither can we. But for several weeks now, they are hosting a lot of their bad stuff out of 91.213.29.66, geo-located in... Russia... all in all 165 domains of badness.
    Several of these domains were "found" by our readers via the poisoned Google image searches* that we reported earlier this month, and also via malicious advertisements embedded in perfectly benign web pages...
    Fake AV has made its appearance on Macs**, where naive automatic download-and-run default settings in browsers still are common, and where "MacDefender" and its expected numerous successors and variants are likely to become as "successful" for the bad guys as their Windows version has been for years..."
    * http://isc.sans.edu/diary.html?storyid=10822
    2011-05-04
    ** http://isc.sans.edu/diary.html?storyid=10813
    2011-05-02

    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

  10. #80
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    4,822

    Thumbs down Mac Fake AV...

    FYI...

    Mac Fake AV...
    - http://news.cnet.com/8301-27080_3-20064394-245.html
    May 19, 2011 - "Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need. This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market... Mac Defender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware..."

    - http://blog.intego.com/2011/05/02/in...ake-antivirus/

    - http://download.cnet.com/8301-2007_4-20064445-12.html
    May 19, 2011 - "... On any platform, rogue antivirus programs are resistant to standard program removal procedures. This means you can't just drag one to the trash..."
    (More detail on removal procedures at the above URL.)
    ___

    - http://www.h-online.com/security/new...e-1246693.html
    20 May 2011 - "... Users of the Safari web browser should disable automatic file opening in Safari (Preferences -> General and uncheck "Open 'safe' files after downloading"). More importantly though, users should, when prompted for their user name and password, be asking themselves "what is requesting this information" and remembering that they are giving it privileges to modify their system..."

    Last edited by AplusWebMaster; 2011-05-20 at 19:23.
    This machine has no brain.
    ....... Use your own.
    Browser check for updates here.
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •