View Full Version : Rogue AV/AS prolific

2008-02-19, 18:32

- http://sunbeltblog.blogspot.com/2008/02/incredible-c-netmedia-still-continues.html
February 19, 2008 - "It was last week, on the 14th, that Ben Edelman* showed that C-NetMedia (not to be confused with CNET) was using highly deceptive advertising to lure people to its sites. It’s still going on, despite press on the matter.
This morning, a search for SpyBot again shows C-NetMedia trying to trick people into thinking their site (spywarebot.com) is Spybot’s... And a search for Ad-Aware still has their ad for adwarealert.com. HIGHLY deceptive... (And we all know that many people will click on the first result, not fully understanding that it’s a sponsored link). Then, look what these crooks are doing with Microsoft Antispyware... I’m afraid it’s going to take the FTC to handle this one. Apparently the search engines aren’t self-policing on this one."
(Screenshots available at the URL above.)


* http://www.benedelman.org/news/021408-1.html
February 14, 2008 - "Not every "anti-spyware" program is what it claims to be. Some truly have users' interests at heart - identifying and removing bona fide risks to privacy, security, stability, or performance. Others resort to a variety of tricks to confuse users about what they're getting and why they purportedly need it. This article reports the results of my examination of anti-spyware software from C-NetMedia...
> Deceptive advertising, deceptive product names, and deceptive web site designs falsely suggest affiliation with security industry leaders...
> The use of many disjoint product names prevents consumers from easily learning more about C-Net, its reputation, and its practices...
> High-pressure sales tactics, including false positives, overstate the urgency of paying for an upgraded version...
Note that C-NetMedia is unrelated to the well-known technology news site CNET Networks..."
(Screenshots available at the URL above.)


2008-03-04, 12:57

- http://preview.tinyurl.com/2m8h33
March 4, 2008 (Symantec Security Response Weblog) - "We have analysed samples of malware that is calling itself 'MonaRonaDona'... it seems the sole purpose of the malware is to prompt the user to enter the term "MonaRonaDona" into a search engine. This is an attempt to lead them to an application that can remove the unwelcome threat - a fix that has obviously been conveniently provided by the very people who created the virus in the first place. When the Trojan executes, it creates the file SRVSPOOL.EXE in the startup folder of all user accounts... Once the user enters the name 'MonaRonaDona' into an Internet search engine, some of the top search results will be the "fix" that the malware authors have - in all probability - also conveniently created in order to solve the problem... this is a scam and warn victims against downloading the Trojan author's application created to remove the malware, which they were charging US$39.90 for (the Unigray Web site was down at the time of writing). While the software does in fact remove the MonaRonaDona Trojan - it is the ONLY malware it removes, despite the fact that it (falsely) reports to have cleaned over 200 other threats..."
(Screenshots available at the URL above.)

> http://www.dslreports.com/forum/r20088377-Re-MonaRonaDona-virus

- http://blog.trendmicro.com/the-art-drama-and-sophistication-of-monaronadona/
March 6, 2008 - "...Unconfirmed reports of initial infection happens when users click on a certain ad banner for Registry Clean Fix, a possible rogue program, to initiate stealth download of MonaRonaDona onto a system. The malware remains inactive (and impervious to detection) until users restart their systems.... Trend Micro advises users to refrain from clicking ad banners, which might lead to unexpected download of malicious files on a system or redirection to a malicious Web site. Trend Micro also implores users to be more wary of new social engineering techniques being practiced in the wild."

2008-06-06, 19:56
VirusHeat... new coat - same color

This link (from some good guys) shows you how the bad guys defraud users into getting whacked:
http://www.sunbeltsoftware.com/ihs/alex/anymp3.htm (turn up your sound so you can hear it)

...just so you can see how deceitful it is. 'Guess we need a sign:

"Use EXTREME CAUTION when clicking on search engine results".


2008-07-16, 14:37

Another fake MS spam
- http://sunbeltblog.blogspot.com/2008/07/another-fake-ms-spam.html
July 15, 2008 - "...The file being pushed, free.exe, is an installer for Antivirus XP 2008, a nasty rogue antispyware program... SPAM has stopped just being a nuisance, and become a serious potential security threat..."

(Screenshot available at the URL above.)


2008-08-15, 11:08

Fake AV Trojans Ramping Up
- http://blog.trendmicro.com/fake-antivirus-trojans-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."

(Screenshots available at the URL above.)


2008-08-23, 13:12

- http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page8.html
22 August 2008 - "...One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.
This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious..."
(Many screenshots shown in the article - well worth your time to review.)

You may also want to visit TeMerc's site on this subject:
- http://www.temerc.com/forums/viewtopic.php?f=26&t=5053

...and this tool: RogueRemover FREE (i.e.: XP Antivirus 2008, etc. - 444 different suspicious applications)
> http://www.malwarebytes.org/rogueremover.php


2008-08-26, 23:47

Phish that bites back
- http://www.secureworks.com/research/blog/index.php/2008/08/25/the-phish-that-bites-back/
August 25th, 2008 - "We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her... While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website. However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox. Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs. For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right? Oops. the rogue antivirus program has removed that functionality for you... you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not... Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now. And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back."

(Screenshots available at the URL above.)


2008-08-28, 01:02

XP Antivirus 2008 now with sploits, Google Adwords affected
- http://sunbeltblog.blogspot.com/2008/08/xp-antivirus-2008-now-with-sploits.html
August 27, 2008 - "...problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it’s taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords... There are a variety of exploits being used, including setslice and an AOL IM exploit. Unusually, an exploit framework is not being used. Fully patched systems will not be affected by these exploits. The exploit attempts to install the following malicious file: huytegygle com/bin/ file.exe..."

(Screenshots available at the URL above.)


2008-08-29, 13:26

Spammed SWF URLs Abuse ImageShack, Lead to Rogue AV
- http://blog.trendmicro.com/spammed-swf-urls-abuse-imageshack-lead-to-rogue-av/
Aug. 28, 2008 - "We’re seeing a lot of spam right now using the now annoyingly familiar Free Update Windows XP, Vista spam template. This time though, instead of linking to an .EXE file, it is now pointing to an .SWF file. The SWF file linked via the large-font text Free Update Windows XP,Vista contains Flash ActionScript... After this a EULA window appears, and then the system proceeds to install a rogue AV software from avxp-2008.net. Note that it does this automatically from the moment the install.exe is run... The technique used in the spam has two things going for it:
1. the use of SWF instead of EXE and
2. the use of an ImageShack-hosted file, both of which may suggest to normal users that the file is possibly harmless.
So it seems the siege of rogue AV is not only not dying down, its proponents are becoming more creative in their “advertising” schemes. We detect this rogue AV as TROJ_FAKEAV.IG."

(Screenshots available at the URL above.)


2008-09-16, 13:47

Fake AV 2009 and search engine results
- http://isc.sans.org/diary.html?storyid=5042
Last Updated: 2008-09-16 01:15:04 UTC - "Web servers have been compromised and their .htaccess files have been modified. Here you can see an example of a modified .htacces
http://forums.devnetwork.net/viewtopic.php?f=6&t=85984 ...
Another site that was compromised and searches redirected is discussed here:
http://groups.google.com/group/Google_Webmaster_Help-Indexing/msg/0cd2cafd907a0380 ...
Their .htaccess is being modified to rewrite requests. Specifically they are redirecting to sites that "advertise" antivirus2008 or antivirus2009 when several search engines try to spider the original site. They redirect most of the search engines there (google, yahoo, altavista...). I believe that is how they are getting their fake av into the search engines with a HIGH hit rate. The site I was seeing in use was int3rn3t-d3f3ns3s .com Which is an "ad" for anti-virus2009... used to convince victims to load this fake-av software...
int3rn3t-d3f3ns3s .com is at I recommend blocking that at your enterprise gateway. Prt3ctionactiv3scan .com which is mentioned in the sunbelt blog is at blocking that at your gateway is also recommended.
There is a blog here about some of these fake av sites.
Microsoft mvp Harry Waldron blogged about it here.
http://msmvps.com/blogs/harrywaldron/archive/2008/08/15/antivirus-2009-avoid-these-fake-antivirus-trojan-attacks.aspx ...
Sunbelt did a good write up of it here and has been tracking the sites involved.
If you need antivirus software icsa labs has a useful collection of valid links here:
https://www.icsalabs.com/icsa/topic.php?tid=cfe0$3d83e732-011a28d6$5ac9-0f77e15b "


2008-10-01, 13:44

More "scareware"...
- http://www.f-secure.com/weblog/archives/00001508.html
September 30, 2008 - "WinDefender 2008 is a rogue application. Rogues are also sometimes known as scareware... Looks sort of familiar, doesn't it? Do you recognize the shape of the box? The website creators appear to have "borrowed" a few things. Let's check out the legal disclaimer... From where else we can find really legal stuff? Spyware Rogue: Antivirus XP 2008... Oh, Antivirus XP 2008. That particular rogue is a huge pain in the… neck. The guys that produce this stuff are crooks and swindlers... Here's a tip: If they claim to be REALiable — they're probably FAKE..."
(Screenshots available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001509.html
October 1, 2008 - More rogue apps/screenshots...

:fear: :mad:

2008-10-05, 02:42

- http://blog.trendmicro.com/rogue-av-tactics-continue-to-threaten/
Oct. 2, 2008 - "October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals... Fake BSOD (actually a screensaver) now sports a specific mention of the problem — an unregistered version of a certain AV product... even the fake reboot screen (also a screensaver) has text... malware criminals continue a “take no prisoners” approach to vandalizing PCs in their bid to convince victims to purchase bogus security software... Cybercriminals literally calling attention to themselves by using all visual means available to instill a sense of discomfort in users that may just be enough to get these users to fall for the act — an unfortunately common scare tactic... This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV..."

(Screenshots available at the URL above.)

:fear: :mad:

2008-10-10, 13:43

New rogue: Antivirus 2010
- http://sunbeltblog.blogspot.com/2008/10/new-rogue-antivirus-2010.html
October 09, 2008 - "Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009... The rogue application uses the same old tricks to lure users into purchasing their worthless application... Fake Windows Security Center - Fake BSOD..."

(Screenshots available at the URL above.)


2008-11-10, 16:56

More rogue AV tricks...
- http://www.f-secure.com/weblog/archives/00001535.html
November 10, 2008 - "We came across a rogue today called Antivirus Professional 2008 that uses GeoIP Lookup as part of its scare tactics. This site uses Flash and script to create the effect of an online scan, that then attempts to push an installer at the visitor. The NoScript extension* for Mozilla Firefox is an excellent way to mitigate against this kind of garbage... The "antivirus online scanner" site now uses the visitor's IP address to customize the so-called threat..."

(Screenshots available at the URL above.)

* https://addons.mozilla.org/en-US/firefox/addon/722


2008-11-22, 00:48

- http://www.f-secure.com/weblog/archives/00001545.html
November 21, 2008 - "Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck. As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other...
This is how the search-and-destroy .com site appears... The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name. This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application. We downloaded and tested the Search-and-Destroy Antispyware application. First it prompted a warning that there were zero risks. Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version. Within the "malicious threats" that were discovered, were invalid shortcuts. True, the links were invalid, but that's hardly a threat. So we uninstalled the application, and it left behind a registry key... Within the "malicious threats" that were discovered, were invalid shortcuts... Typical. The scan warned us about invalid shorts, and then leaves behind an invalid registry key... Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program..."

(Screenshots available at the URL above.)


2008-11-23, 03:25

- http://preview.tinyurl.com/55b2hj
November 19, 2008 - MS Malware Protection Center - "Win32/FakeSecSen* was added to MSRT November release ... We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below...
Distinct Machines Cleaned:
United States - 548,218
United Kingdom - 74,343
France - 47,581
Germany - 43,347
Netherlands - 28,724
Spain - 23,027
Italy - 18,453
Australia - 16,287
Canada - 16,180
Sweden - 15,412
Other - 162,489 ..."

* http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32%2fFakeSecSen
Summary: Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”.


2008-12-02, 18:20

- http://www.sophos.com/security/blog/2008/12/2069.html
2 December 2008 - "Today we saw a hockey statistics website that had been compromised - it was redirecting via several hops to a fake anti-virus site detected as Mal/FakeAvJs-A... If you do go for their free scan, surprise surprise it finds malware on your computer. In fact there’s a config file on the site, telling you exactly what malware it’s going to find, and where... This wasn’t the only site we saw compromised like this today, the others pointing to the exact same fake anti-virus website after a number of hops, as if somebody had recently flicked a switch and set a number of websites redirecting in this manner..."

(Screenshots available at the URL above.)


2008-12-03, 16:55

Nano Antivirus now making the rounds
- http://sunbeltblog.blogspot.com/2008/12/nano-antivirus-now-making-rounds.html
December 02, 2008 - "A fresh rogue... variant of Pro Antispyware 2009*."

* http://sunbeltblog.blogspot.com/2008/10/new-rogue-pro-antispyware-2009.html
October 22, 2008

(Screenshots available at both URLs above.)


2008-12-24, 21:57

- http://preview.tinyurl.com/ay4674
December 24, 2008 (Computerworld) - "In the second month of a campaign against fake security software, Microsoft has booted the rogue application "Antivirus 2009" from almost 400,000 PCs, the company recently claimed. December's version of the Malicious Software Removal Tool (MSRT), a free utility that Microsoft pushes to Windows users as part of Patch Tuesday , targeted one of the most popular phony security app, Antivirus 2009. According to Microsoft*, the MSRT erased the fake from over 394,000 PCs in the first nine days after it released this month's edition..."

MSRT Review - Win32/FakeXPA and Win32/Yektel Rogues
* http://preview.tinyurl.com/a4pku7
(blogs.technet.com) - December 17, 2008

> http://preview.tinyurl.com/6bb67
MSRT v2.5 - 12/10/2008 - 7.4MB


2008-12-30, 14:55

More "Fake AV" Incarnations Making The Rounds
- http://isc.sans.org/diary.html?storyid=5584
Last Updated: 2008-12-30 01:39:49 UTC - "Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods. Some of the latest incarnations observed in the past 24 hours continue to maintain low levels of AV detection (less than 15% based on VirusTotal analysis)... In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar). Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session."


2009-01-21, 19:19
This is a real beauty:

Russians don't infect themselves...
- http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html
January 21, 2009 - "Little snippet found in Antivirus 2009...
00420174 - Bot started.
0042018C - App name:
004201A0 - Exe name:
004201B4 - Bot ID:
004201C8 - Wait before activate:
004201E8 - Sleep period:
00420200 - Popup URL:
00420214 - Don`t install on Rus:
00420234 - Russian or Ukrainian Windows detected. Exiting ... <<<
0042027C - Looking for XP antivirus
004202A0 - Software\XP Antivirus\Options\AdvancedScan
004202D4 - Key =
004202E4 - XP antivirus detected
00420304 - Unregistering toolbar
00420324 - Unregistering self ..."


2009-02-19, 17:59

Anti-virus-1 new rogue anti-spyware...
- http://www.bleepingcomputer.com/malware-removal/anti-virus-1-removal
February 18, 2009 - "Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer... When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer's control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program... Tools Needed for this fix: Malwarebytes' Anti-Malware* ..."
* http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

(Screenshots and more detail available at the first URL listed above.)


2009-02-24, 23:38

eWeek Hacked with drive-by download - Anti-Virus-1...
- http://securitylabs.websense.com/content/Alerts/3310.aspx
02.24.2009 - " Websense... has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors...
Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe. eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp ://[removed]inside .com/ - Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server. With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads. The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp ://[removed]-site .info/ which has been setup to collect payment details..."


2009-03-04, 13:40

- http://atlas.arbor.net/briefs/index#-1039902162
March 03, 2009 - "Over the past year or so we have been seeing a large number of "rogue AV" products being installed in drive-by sites. This is a scam program, designed to fool users into paying for software they don't need. The program will announce that the user is infected with malware and then demand $40 to remove the infection. This kind of application is usually well detected by legitimate AV software.
Analysis: This is a classic scareware program with a twist, and is usually installed without the owner's consent. We have seen a variety of tricks to get this installed on users' PCs. We encourage all sites to make sure they are not affected by this issue.
Source: http://www.f-secure.com/v-descs/rogue_w32_xpantivirus.shtml
"...large rogueware family. Members of the XPAntivirus family are distributed under several different names, including:
• XP Antivirus
• Antivirus 2009
• Antivirus 2010
• Antivirus 360 ..."


2009-03-08, 13:12

New rogue: Antispyware Pro 2009
- http://sunbeltblog.blogspot.com/2009/03/new-rogue-antispyware-pro-2009.html
March 08, 2009

New rogue: Malware Defender 2009
- http://sunbeltblog.blogspot.com/2009/03/new-rogue-malware-defender-2009.html
March 06, 2009 - "Malware Defender 2009 is a new rogue security product and a clone of System Guard 2009..."

(Screenshots available at both URLs above.)

Tornado Malware Kit
- http://atlas.arbor.net/briefs/index#1440121766
March 06, 2009 - "...This is a specific instance of such a drive by kit but demonstrates the current technology that is being sold and delivered on the Internet.
Analysis: These kits have been in used for well over a year and are responsible for many of the drive by downloads we see on the Internet these days.
Source: http://www.secureworks.com/research/blog/index.php/2009/3/5/tornado-malware-kit/
March 5, 2009 - "...Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits..."


2009-03-14, 20:19
FYI... More rogues...

- http://sunbeltblog.blogspot.com/2009/03/new-rogue-security-products.html
March 14, 2009 - "General Antivirus and Personal Antivirus are the new clones of Internet Antivirus Pro rogue security product..."

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-031311-4206-99&tabid=2
March 13, 2009
Name: System Guard 2009
Publisher: System Guard
...The program reports false or exaggerated system security threats on the computer.

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-031117-4351-99&tabid=2
March 11, 2009
Name: Virus Melt
Publisher: iSystems Inc.
...The program reports false or exaggerated system security threats on the computer.

(Screenshots available at above URLs.)


2009-03-20, 16:36

Antivirus2009 ransomware...
- http://preview.tinyurl.com/df8n2t
March 20, 2009 Security Fix/Brian Krebs - "... this version of Antivirus2009 encrypts or scrambles contents of documents... so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder... The good news is the nice folks over at BleepingComputer.com*, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back. But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service** where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder. This is the first time I've ever heard of scareware being bundled with so-called "ransomware"..."

* http://www.bleepingcomputer.com/forums/topic212357.html

** http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

- http://www.pcworld.com/article/161649/crooks_flock_to_rogue_antivirus_apps.html
Mar 20, 2009 - "...According to the Antiphishing Working Group*, the number of fake security programs skyrocketed from average of around 2,500 per month to 9,287 in December..."
* http://www.antiphishing.org/reports/apwg_report_H2_2008.pdf


2009-03-23, 15:00

Trafficconverter takedown...
- http://www.f-secure.com/weblog/archives/00001631.html
March 20, 2009 - "One of the more notorious pay-per-install programs, Trafficconverter has been taken down today. These sites work like this:
1. Trafficconverter developes a "rogue" antivirus product
2. The product will find viruses even on clean systems
3. It won't "clean" those viruses unless you register the product
4. Trafficconverter does not market their software at all
5. Instead, all the marketing is done through affiliates
6. Affiliates have existing botnets of thousands of infected computers
7. They remotely install these rogue products to those computers
8. Confused end users see warning messages about viruses on their screens
9. ...and register the rogue product for $50 to "fix" their machine
10. Affiliates get $30 per customer, Trafficconverter get $20
11. ?? ...
...So, it's good to see these guys going offline. Kudos to Brian Krebs*!"
* http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html
March 16, 2009
- http://voices.washingtonpost.com/securityfix/2009/03/sunlight_disinfects_rogue_anti.html
March 20, 2009

(Screenshots available at all above URLs.)


2009-03-24, 11:37

Trafficconverter takedown - Downadup motivations
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/254
03-23-2009 - "As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes. The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp ://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines..."

- http://centralops.net/co/DomainDossier.aspx
Registrant Country Code: GB ...
Created by Registrar: ESTDOMAINS INC ...

2009-03-25, 18:25
Some references from prior post in this thread:
- http://forums.spybot.info/showpost.php?p=298697&postcount=27

Xrupter -aka- Vundo ...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/255
03-24-2009 - "Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo(1). Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter(2). This Trojan performs a search in the My Documents folders of your hard drive... This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised. Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available... If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted... The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files... If you need this fix tool, you can download it here*."

(Screenshots available at the URL above.)

1) http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99

2) http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-032207-0838-99&tabid=1

* http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixXrupter.exe


2009-03-31, 00:15

Conficker hype used by rogue gangs
- http://www.f-secure.com/weblog/archives/00001639.html
March 30, 2009 - "... We found out that rogue security software folks have picked up on this. For example, lets have a look at remove-conficker .org, a domain which was registered today... They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC - only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it. When it did find something that it claimed to be malware... And then it asked us to register and pay $39.95 for the removal functionality... When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well... Like AdwareAlert and AntiSpy2009 It's clear that it's an affiliate program going on..."

(Screenshots available at the F-secure URL above.)


2009-04-03, 18:10

More Conficker rogue AV...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/173
04-02-2009 - "We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these SPAM messages even use names and images of software much like our own Norton AntiVirus 2009... it even mentions the name of one of our Symantec employees frequently cited in the press... In an attempt to increase financial gain, the product website is made to look like the product is one of our Norton consumer security solutions, by using the AntiVirus 2009 name and even comparing itself with other antivirus solutions such as Spybot, Kaspersky, and AVG... After clicking on the link inside the message, we find that it redirects to a website where the user is promptly given directions on how to make a payment. Whether or not any product will be made available after the payment is made is still unknown at this point. Even if it were, its effectiveness would be questionable because it will most likely be a rogue application or pirated software."
(Screenshots available at the Symantec URL above.)


2009-04-09, 17:41

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=216403298
April 8, 2009 - "Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR)*... Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark..."
* http://www.microsoft.com/sir


2009-04-15, 14:42

New rogue: P Antispyware 09
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-p-antispyware-09.html
April 14, 2009 - "P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products."

New rogue: Antivirus'09
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-antivirus.html
April 15, 2009 - "Antivirus'09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application."

(Screenshots available at both URLs above.)


2009-04-19, 12:48

New rogue: AV Antispyware
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-av-antispyware.html
April 19, 2009 - "AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products... Sites Involved: Av-antispyware com Files scanner-antispy-av-files com dl scan-antispy-4pc com Int reporting32 com ..."

(Screenshot available at the URL above.)


2009-04-28, 23:33

- http://preview.tinyurl.com/cqv4se
23 April 09 - PandaLabs blog - "... Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008... PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3*... Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide**."

* (Chart available at the URL above.)

** http://codex.wordpress.org/Hardening_WordPress


2009-05-18, 23:58

- http://www.f-secure.com/weblog/archives/00001684.html
May 18, 2009 - "How big an issue are Rogue antivirus applications? Let's take a look. What is your browser's user agent? Any ideas? The Firefox browser should look something like this: You can determine yours from http://whatsmyuseragent.com . Now let's take a look at this user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Do you see it? Right there in the middle, "AntivirXP08". What is that all about? Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website. Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue. How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08. 63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009". It's a small measure of a very large problem."

(Screenshot available at the F-secure URL above.)


2009-06-15, 18:13

Rogue AV hosted in USA...
- http://sunbeltblog.blogspot.com/2009/06/cavalcade-of-malware-hosted-right-here.html
June 15, 2009 - "Contrary to popular belief, not all malware is hosted in Eastern Europe or China. In fact, there’s a whole bucketload of malware hosted in Scranton, PA. Here are malware domains associated with IP"

(Long list and screenshots available at the URL above.)


2009-07-27, 14:43

Rogue AV terminates EXE files
- http://blog.trendmicro.com/rogue-antivirus-terminates-exe-files/
July 26, 2009 - "This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price). This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute... This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes. Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV..."

(Screenshot available at the URL above.)


2009-07-27, 23:05

Malicious Twitter Posts Get More Personal
- http://blog.trendmicro.com/malicious-twitter-posts-get-more-personal/
July 27, 2009 - "... malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes. A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashion them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then posts tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used... the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter. Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product... in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use... Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be Grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories..."

(Screenshots available at the URL above.)

- http://ddanchev.blogspot.com/2009/07/diverse-portfolio-of-fake-security_27.html
July 27, 2009


2009-07-31, 18:28

Rogueware growth - 2009 ...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=218700073
July 29, 2009 - "All told, 374,000 new versions of rogueware samples were released in this year's second quarter - and that number is expected to nearly double to 637,000 in the third quarter. PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks... the numbers have been spiking during the past year:
In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year*. "And there were two times as many in Q2 versus Q1," PandaLabs' Carrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000." But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link... These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application... So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers. PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans..."
* http://www.pandasecurity.com/homeusers/security-info/tools/reports#Monographs

Following the Money: Rogue Anti-virus Software
- http://voices.washingtonpost.com/securityfix/2009/07/following_the_money_trail_of_r.html
July 31, 2009


2009-08-10, 14:56

Q2-2009 - $34m in Rogueware per month...
- http://www.theregister.co.uk/2009/08/07/scareware_market/
7 August 2009 - "Fraudsters are making approximately $34m per month through scareware attacks, designed to trick surfers into purchasing rogue security packages supposedly needed to deal with non-existent threats. A new study, The Business of Rogueware*, by Panda Security researchers Luis Corrons and Sean-Paul Correll, found that scareware distributors are successfully infecting 35 million machines a month. Social engineering attacks, often featuring social networking sites, that attempt to trick computer users into sites hosting scareware software have become a frequently used technique for distributing scareware. Tactics include manipulating the search engine rank of pages hosting scareware. Panda reckons that there are 200 different families of rogueware, with more new variants coming on stream all the time... Luis Corrons, PandaLabs' technical director: "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream." In Q2 2009, four times more new strains were created than in the whole of 2008, primarily in a bid to avoid signature-based detection by genuine security packages..."
* http://www.pandasecurity.com/homeusers/security-info/tools/reports#Monographs
"... results:
• We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.
• Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers).
• Cybercriminals are earning approximately $34 million per month through rogueware attacks..."


2009-08-26, 13:01

Cybercrime Hub in Estonia
- http://blog.trendmicro.com/investigations-on-a-cybercrime-hub-in-estonia/
Aug. 26, 2009 - "... this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu (Estonia), employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation. This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company owns two networks in the United States. We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites."

(Screenshots available at the URL above.)


2009-09-03, 00:09

Rogue AV goes Green
- http://securitylabs.websense.com/content/Blogs/3469.aspx
09.02.2009 - "Given the world's ever-increasing environmental concerns, it’s easy to see why malware authors are monetizing via an eco-friendly strategy. Just as the scare tactics of rogue AVs have already taken their toll, yet another ingenious twist appears - this time resorting to a friendlier, “greener” tone. Green-conscious people, beware! The latest scheme states that, for every fake AV you buy, a donation will be made to an environmental care program. It’s very simple and direct – buy the software and save the planet. Unlike other rogue AV campaigns that offer “free trial versions,” this ploy actually requires the user to buy the malware with a credit card, all the while assuring the user that a donation will be made to a green cause. This social engineering scheme appears to be picking up steam—as stories of fake AV grief from victims posted on the Web continue to pour in." (including search engine poisoning w/links to the rogue software)

(Screenshots available at the URL above.)


2009-09-11, 14:06

FakeAV for 9/11
- http://blog.trendmicro.com/fakeav-for-september-11/
Sep. 10, 2009 - "As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint. Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware... several malicious Web sites that can all be found in the poisoned Google search results... The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results and rely on reputable news agencies instead."
(Screenshot available at the URL above.)

- http://www.sophos.com/blogs/gc/g/2009/09/11/scareware-scammers-exploit-911
September 11, 2009


2009-09-14, 14:00

NY Times pushes Fake AV malvertisement
- http://countermeasures.trendmicro.eu/new-york-times-pushes-fake-av-malvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".

* http://blog.trendmicro.com/fakeav-for-september-11/

** http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com


2009-09-15, 14:26

Fake A/V hacks for another celebrity death...
- http://www.sophos.com/blogs/gc/g/2009/09/15/patrick-swayzes-death-exploited-scareware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."


2009-09-17, 11:40

Rogue Anti-Virus SEO Poisoning...
- http://securitylabs.websense.com/content/Blogs/3479.aspx
09.16.2008 - "SEO poisoning is fast becoming a trend in spreading rogue anti-virus software. This type of attack coupled with relevant news items that might be of interest to users from all walks of life is a lethal combination. Search terms related to the recent MTV Video Music Awards brouhaha and President Obama’s off-the-record comments about Kanye West, as well as updates on murdered Yale graduate student Annie Le, are the latest targets... Upon visiting these search results, visitors would be presented with the standard fake / rogue AV Web site. To make matters worse, (real) anti-virus have very poor detection rates..."

- http://www.virustotal.com/analisis/5cec85f68bbcf54399d0ef0952d68ffaa8d66b8d748617dd8466f4829ef59896-1253125434
File setup_build6_195.exe received on 2009.09.16 18:23:54 (UTC)
Result: 1/41 (2.44%)

- http://www.virustotal.com/analisis/5a97f72df8e9c64d3192ec839be632bb46e481da454d9abe7f24d01aa7b3610e-1253125440
File Soft_71.exe received on 2009.09.16 18:24:00 (UTC)
Result: 3/41 (7.32%)

(Screenshots of the fake AV Web site, as led to by the search engine, available at the Websense URL above.)

- http://isc.sans.org/diary.html?storyid=7144
Last Updated: 2009-09-17 07:36:18 UTC


2009-09-21, 12:23

Fake Twitter accounts for Fake AV
- http://www.f-secure.com/weblog/archives/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."

(Screenshots available at the URL above.)

- http://www.sophos.com/blogs/gc/g/2009/09/21/fake-antivirus-attack-twitter/
September 21, 2009


2009-09-24, 16:11

Fake Malwarebytes - Bogus Sponsored Link Leads to FAKEAV
- http://blog.trendmicro.com/bogus-sponsored-link-leads-to-fakeav/
Sep. 24, 2009 - "Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware - bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ). Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist... In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website. Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines..."

(Screenshots available at the URL above.)


2009-09-29, 21:50

Tropical Storm leads to FAKEAV
- http://blog.trendmicro.com/tropical-storm-leads-to-fakeav/
Sep. 29, 2008 - "Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people... several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results. Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location... Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV..."

(Screenshots available at the URL above.)


2009-09-30, 13:24

Rogue downloader uses Firefox warning screen lookalike
- http://sunbeltblog.blogspot.com/2009/09/rogue-downloader-uses-firefox-warning.html
September 29, 2009 - "... The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen... Looks like the Firefox warning page ( in Internet Explorer ), but with a difference... What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours..."

(Screenshots available at the URL above.)


2009-10-02, 15:12

Rogue AV growth 2009-H1 585 percent
- http://www.theregister.co.uk/2009/10/02/crimeware_plague/
2 October 2009 - "The prevalence of scareware packages has reached epidemic proportions, with 485,000 different samples detected in the first half of 2009 alone. The figure is more than five times the combined figure for the whole of 2008, according to statistics from the Anti-Phishing Working Group (APWG). The huge figures are explained by the hacker practice of changing the checksum of every file. The tactic is designed to foil less sophisticated anti-malware defences... More than half (54 per cent) or 11.9 million of the computers scanned by Panda Security, which contributed to APWG's report, were infected with some form of malware. Banking trojan infections detected by the group almost tripled (up 186 per cent) between Q4 2008 and Q2 2009. APWG's report can be found here*."
* http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf


2009-10-20, 22:47

Scareware SPAM - Conficker.B infection alerts
* http://ddanchev.blogspot.com/2009/10/scareware-serving-confickerb-infection.html
October 20, 2009 - "A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware. This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware..."

(Screenshots and extensive list of domains involved available at the URL above*.)


2009-12-14, 17:28

Scareware warning from the FBI
- http://www.us-cert.gov/current/#fbi_releases_warning_about_scareware
December 14, 2009 - " The Federal Bureau of Investigation (FBI) has released a warning to alert users about an ongoing threat involving pop-up security messages that appear on the Internet. These pop-up messages may contain seemingly legitimate antivirus software. Users who click on these pop-up messages to purchase and install the bogus software may become infected with malicious code or to become victims of a phishing attack. US-CERT encourages users and administrators to do the following to help mitigate the risks:
• Review the FBI Press Release* titled Pop-Up Security Warnings Pose Threats.
• Install antivirus software, and keep the signature files up to date.
• Use caution when entering personal and financial information online.
• Install software applications from only trusted sources."
* http://www.fbi.gov/pressrel/pressrel09/popup121109.htm

> http://www.ic3.gov/media/2009/091211.aspx
"... The FBI is aware of an estimated loss to victims in excess of $150 million..."

- http://sunbeltblog.blogspot.com/2009/12/biggest-rogue-family-third-generation.html
December 11, 2009 - "A new rogue security product called IGuardPC... is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers. The WiniGuard family began in September of 2008. Operators behind it have added variants.. sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections..."
(Screenshots available at the URL above.)


2010-01-09, 00:00

Rogue AV - Data Doctor 2010 encrypted files...
- http://sunbeltblog.blogspot.com/2010/01/data-doctor-2010-encrypted-files-we.html
January 06, 2010 - "Our analyst Dimiter Andonov has developed a tool to decrypt files encrypted by Data Doctor 2010 that at least one blog reader found very useful:
Update 01/07:
We've just posted a page with detailed directions for using the Data Doctor 2010 file decrypter:
http://www.sunbeltsecurity.com/DownLoads.aspx ..."

- http://www.f-secure.com/weblog/archives/00001850.html
January 8, 2010


2010-01-14, 23:40

Rogue AV exploits Haiti earthquake
- http://isc.sans.org/diary.html?storyid=7987
Last Updated: 2010-01-14 18:45:02 UTC - "Just when you think they couldn't possibly go any lower ... The bad guys behind the Rogue AV scam (see my old diary at http://isc.sans.org/diary.html?storyid=7144 about Rogue AV) are heavily using SEO techniques to make links to their sites appear high on search engines. For example, when using Google to search for "haiti earthquake donation" top 6 hits (!) lead to compromised web sites which in turn check the referrer (they verify if you are coming from a search engine) and, if that is true, redirect you to another web site... At the moment they are redirecting to scan-now24 .com which appears to be taken down. As posted on numerous places yesterday – if you plan on donating be very careful about sites you visit."

- http://www.us-cert.gov/current/#haitian_earthquake_disaster_phishing_attacks
January 14, 2010

- http://www.fbi.gov/pressrel/pressrel10/earthquake011310.htm
January 13, 2010

- http://sunbeltblog.blogspot.com/2010/01/hacked-sites-used-to-redirect-to.html
January 14, 2010 - "We continue to find hacked sites popping up on web searches for Haiti relief donations-related strings. Among other things, we’ve found a rogue security product being pushed. VIPRE detected that one as Rogues.Win32.FakeVimes... sites all -redirect- to scan-now24 .com (registered Dec. 28), which we recommend blocking...""


2010-02-16, 22:18

Scammers offer "Live Support"
- http://www.informationweek.com/shared/printableArticle.jhtm?articleID=222900276
Feb. 13, 2010 - "... The Live PC Care "virus scan" screen now includes a yellow online support button that affords those reluctant to part with their money the opportunity to banter with fraud support. "If a potential victim clicks on the online support button they are brought to a live support chat session," said Symantec security researcher Peter Coogan in a blog post*. "The authors of Live PC Care have taken advantage of a legitimate freeware live chat system called LiveZilla. This system allows Live PC Care victims to chat online with so-called 'support agents.'" Based on the interactions between Symantec researchers and the live support people, Coogan says that there really are people answering questions, and not automated scripts. Their goal, he says, is to allay suspicions and encourage the belief that the fake malware detected needs to be repaired. Coogan says that the involvement of live support people shows just how big the business of fake antivirus scams has become. Symantec says that between July 1, 2008 and June 30, 2009, 250 different fake antivirus programs made 43 million installation attempts. The company says that the cost of being victimized can go beyond the $30 to $100 price for useless software to include additional fraud arising from credit card theft."
* http://www.symantec.com/connect/blogs/fake-av-talking-enemy

- http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=2
Updated: October 10, 2007 5:08:11 PM
Type: Trojan
Infection Length: 7,680 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000


2010-02-26, 19:56

VirusTotal - fake rogue site
- http://sunbeltblog.blogspot.com/2010/02/not-real-virustotalcom.html
February 26, 2010 - "VirusTotal.com [ http://en.wikipedia.org/wiki/VirusTotal.com ] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not... somebody decided to cash in on the good name of the site with the following domain:
...we have some Rogue Antivirus advertising in the house, to the tune of “Your computer is infected by viruses” complete with the now familiar fake image of your drives and folders... Should you download and run the executable file offered up by the site, you’ll end up with the rogue Security Tool on your system... the REAL domain for VirusTotal is http://www.virustotal.com/ . Don’t fall for this scam!"

(Screenshots available at the Sunbeltblog URL above.)


2010-02-27, 01:01

MS warns: fake Security Essentials
- http://www.theregister.co.uk/2010/02/26/microsoft_security_essentials_rogue/
26 February 2010 - "Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials. Security essentials 2010 is a piece of software Microsoft said installs a fake virus scanner on your machine and monitors and blocks processes it doesn't like. The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here*... Adding insult to injury, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded is just a trial edition. Microsoft's Security Essentials is available without charge to PC users running a genuine copy of Windows..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Fakeinit


2010-04-16, 12:39

Fake AV on 11,000 domains...
- http://googleonlinesecurity.blogspot.com/2010/04/rise-of-fake-anti-virus.html
April 14, 2010 - "... One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action... We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months... Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period. Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly..."

- http://www.newsfactor.com/story.xhtml?story_id=13000CYP5QJY
April 28, 2010 - "... fake antivirus scans that plant malware are on the rise. Over 13 months, more than 11,000 domains were involved in fake scans, Google says. Advertising is being used to trick users into fake scans, and Google promised to blacklist any company linked to malware. Rapid adaptation is also making it more difficult to detect malware..."

2010-05-29, 15:41

Scareware gang busted...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=225200545
May 28, 2010 CHICAGO - "An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad... fake advertisements placed on various legitimate companies' websites, deceived Internet users into falsely believing that their computers were infected with "malware" or had other critical errors to induce them to purchase "scareware" software products that had limited or no ability to remedy the purported, but nonexistent, defects... Two defendants, Bjorn Daniel Sundin, and Shaileshkumar P. Jain, with others owned and operated Innovative Marketing, Inc. (IM), a company registered in Belize that purported to sell anti-virus and computer performance/repair software through the internet and that operated a subsidiary called Innovative Marketing Ukraine, located in Kiev. The company appeared to close down last year after the U.S. Federal Trade Commission filed a federal lawsuit in Maryland seeking to end the allegedly fraudulent practices... Individuals who believe they are victims and want to receive information about the criminal prosecution may call a toll-free hotline, 866-364-2621, ext. 1, for periodic updates... Each count of wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine and restitution is mandatory. The Court may also impose a fine totaling twice the loss to any victim or twice the gain to the defendant, whichever is greater..."

- http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm
May 27, 2010


2010-07-15, 01:47

Exploits, malware, and scareware courtesy of AS6851, BKCNET, Sagade Ltd.
- http://ddanchev.blogspot.com/2010/07/exploits-malware-and-scareware-courtesy.html
July 14, 2010 - "Never trust an AS whose abuse-mailbox is using a Gmail account (piotrek89@gmail.com), and in particular one that you've come across to during several malware campaigns over the past couple of months. It's AS6851, BKCNET "SIA" IZZI* I'm referring to, also known as Sagade Ltd... It's the Koobface gang connection in the face of urodinam .net, which is also hosted within AS6851, currently responding to Currently active exploits/malware/scareware serving domain portfolios within AS6851: Parked at/responding to Parked at/responding to Parked at/responding to Parked at/responding to Parked at/responding to Parked at/responding to Detection rates for the currently active malware samples, including the HOSTS file modifications on infected hosts, for the purpose of redirecting users to cybercrime-friendly search engines, monetized through traffic trading affiliate programs:
- 78490.jar - Result: 0/42 (0%)
- ad3.exe - Result: 41/42 (97.62%)
- a-fast.exe - Result: 36/42 (85.72%)
- dm.exe - Result: 37/42 (88.1%)
- iv.exe - Result: 8/42 (19.05%)
- j2_t895.jar - Result: 0/42 (0%)
- movie.exe - Result: 40/42 (95.24%)
- tst.exe - Result: 35/42 (83.34%)
- wsc .exe - Result: 37/42 (88.1%) - HOSTS file modification ...
- rc.exe - Result: 41/42 (97.62%) - HOSTS file modification ...
- installer.0028.exe - Result: 9/42 (21.43%) - HOSTS file modification ...
- installer.0022.exe - Result: 9/42 (21.43%) - HOSTS file modification ..."
(More detail and links at the ddanchev blog URL above.)

* http://cidr-report.org/cgi-bin/as-report?as=AS6851

- http://google.com/safebrowsing/diagnostic?site=AS:6851
"Of the 1035 site(s) we tested on this network over the past 90 days, 33 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time Google tested a site on this network was on 2010-07-15, and the last time suspicious content was found was on 2010-07-15.
Over the past 90 days, we found 50 site(s) on this network... that appeared to function as intermediaries for the infection of 2661 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 550 site(s)... that infected 16759 other site(s)..."


2010-07-30, 18:54

Fake Firefox update leads to scareware...
- http://www.theregister.co.uk/2010/07/30/firefox_update_scareware_ruse/
30 July 2010 - "... Prospective marks are normally lured to these sites through search engine manipulation, which ensures rogue sites appear prominently in lists of search results for newsworthy terms... write-up of the scareware slinging ruse in a blog post here*..."

* http://www.f-secure.com/weblog/archives/00001997.html
"... rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV. Now, it comes as the Firefox "Just Updated" page... the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads... When the user runs the file... Bad old rogue AV..."

(Screenshots available at the F-secure URL above.)


2010-09-18, 18:50

Rogue AV - social engineering...
- http://www.symantec.com/connect/blogs/latest-and-most-convincing-rogue-av-social-engineering
Sep 17, 2010 - "The success and penetration of fraudulent security software depends on its ability to scare the user into buying a fake security product. Over the years we have seen that many social engineering techniques have evolved in attempts to achieve this... This technique is employed by a recently found, in-the-wild sample of fake security software that misleads users by claiming to be a legitimate “Microsoft Security Essential.” The real social engineering is not found in the name, but in how it works (step by step) to trick users into buying this unknown security product... rather than showing many fake detection results, as is usually the case with rogue antivirus software, it reports just one threat. It will always report the same file (c:\windows\system32\cmd.exe) as “Unknown Win32/Trojan” and will request that the user clicks on “Apply actions.” However, both of the “Apply actions” and “Clean computer” buttons will redirect users to scan the identified threat with online scanners. Then, it shows a fake online scanner window that includes almost all reputable antivirus products, including Symantec, along with five unknown products... we may see the same or some variation of this rogue software being adopted across a few of the other rogueware families..."

- http://blog.webroot.com/2010/09/16/new-rogue-is-actually-five-rogues-in-one/
September 16, 2010

(Screenshots and more detail at both URLs above.)


2010-10-11, 23:01

BlackHat SEO campaign used to spread rogue...
- http://blog.urlvoid.com/blackhat-seo-campaign-used-to-spread-smart-engine/
October 9, 2010 - "A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer. When an user clicks on an infected url, there is a redirection... "


2010-12-15, 23:28

More rogue security scams...
- http://www.theinquirer.net/inquirer/news/1932553/defraggers-scam
Dec 15 2010 - "... usually rogue security software does it best to pretend to be anti-spyware or anti-virus products. In the last two months, however, it has become clear that the rogue malware writers are turning to fake optimisation software instead. Earlier in December we had PCoptomizer, PCprotection Center and Privacy Corrector which were intended to look like some kind of generic security product. Lately it has been "defragger" clones that claim to be disk utilities: UltraDefragger, ScanDisk and WinHDD. These pretended to find "HDD read/write errors". Disk defragmentation once was considered a good way of speeding up a computer, but it has become less of a problem as PCs got faster, hard drives much larger and newer versions of Windows had better file handling capabilities. But some users have become aware of the defrag utility and think they need it often which is why the rogues impersonate defrag utilities. The cyber criminals who are sending out the software are changing the name of the software every few days to evade antivirus scanners. The report said that Internet users should be suspicious of any application that is advertised by spam, pops up dire warnings that your machine is affected by numerous problems, tells you that you need to update your browser, or demands that you make a purchase before it will clean or fix problems in your machine."

Fake disk defraggers
- http://news.cnet.com/8301-27080_3-20025692-245.html
December 14, 2010 - "... FakeAV-Defrag rogues... had names like HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus*..."
* http://forums.spybot.info/showpost.php?p=390775&postcount=9


2010-12-31, 12:20

Criminals host trojans on Cloud Storage Service Rapidshare
- http://www.eweek.com/c/a/Security/Criminals-Host-Trojans-on-Cloud-Storage-Service-Rapidshare-339725/
2010-12-30 - "Spammers are using cloud-based storage services to store malware, allowing them to circumvent e-mail spam filters, according to security experts at Kaspersky Lab and MX Lab. Kaspersky Lab detected the click-fraud Trojan, a variant of the Trojan-Dropper.Wind32.Drooptroop family, which has been in circulation since the beginning of December, said Vicente Diaz, a Kaspersky Lab expert. There are over 7,000 variants of this particular family, according to Kaspersky. As with other types of malware that took advantage of the holiday season, the executable file for this Trojan was named gift.exe, Diaz said. The security firm detected more than 1,000 infections using this technique to distribute this variant, according to Diaz. The Trojan is stored on Rapidshare, a cloud-based file-sharing and storage service. The spam messages that users receive in their Inbox have no text, just a single link pointing to a valid Rapidshare URL. These messages get past spam filters because there are no malicious files attached, the domain name is not considered a “bad” one, and executables hosted on Rapidshare aren’t automatically classified as a threat, said Diaz. There was also a recent fake antivirus spam campaign that included a Rapidshare link pointing to surprise.exe, according to security firm MX Lab. The executable file downloads and installs the fake AV Security Shield on the user’s computer, which runs after the computer is rebooted. Once downloaded, there’s no guarantee that authentic antivirus products will detect these Trojans. According to MX Lab, only 16 of the 43 major antivirus products detected surprise.exe as a Trojan or as fake AV..."

- http://www.securelist.com/en/blog/11103/Malware_in_the_cloud

- http://blog.mxlab.eu/2010/12/14/malware-distrubution-on-rapidshare-surprise-exe/

The year of the cloud ...
- http://www.infoworld.com/d/cloud-computing/what-you-need-know-about-the-year-the-cloud-888
December 30, 2010


2011-01-03, 11:37

New Rogue Software: Easy Scan
- http://blog.urlvoid.com/?p=648
January 1, 2011 - "Easy Scan is another rogue security software that is installed by TDSS variants* and that aims to scan the hard drive to find errors, instead it shows false errors..."
* http://blog.urlvoid.com/new-tdss-variants-install-plenty-of-software/
"... installed plenty of software and backdoors in the infected system. Other than installing rogue security software, this time named Antivirus Scan, it has installed also other software like FLVTube Player, Sweetim Pack, Vista Cookies Collector, OfferBox, DataMngr, SweetIE, SweetIM, Fun4IM..."

New Rogue Software: HDD Doctor
- http://blog.urlvoid.com/?p=630
December 26, 2010 - "HDD Doctor is another rogue security software that aims to scan the hard drive to find errors, instead it shows false errors..."


2011-01-05, 18:39

Rogue variant number stable, new “utility” look appears
- http://sunbeltblog.blogspot.com/2011/01/rogues-in-2010-number-of-variants.html
January 05, 2011 - "GFI Labs documented 167 rogue security products in 2010 – exactly the same number as 2009... the number of rogue security products appearing annually has been stable for the last three years. After increasing from 26 in 2005 to 162 in 2008, we’ve seen about the same number of variants each year since: 167 in both 2009 and 2010... Late in 2010 Researchers at GFI Labs noticed that at least one group of rogue writers had started a new deceptive tactic: creating graphic interfaces that impersonated utility software - such as hard drive defragmentation applications - instead of anti-virus products...
FakeAV-Defrag family history:
11/15/2010 Ultra Defragger
11/16/2010 ScanDisk-Defragger
11/30/2010 WinHDD
12/9/2010 HDDPlus
12/12/2010 HDDRescue
12/12/2010 HDDRepair
12/13/2010 HDDDiagnostic ...
Rogue distributors usually create their malicious software and server infrastructure then clone their malcode often in order to escape detection by legitimate anti-virus products. They count on making money in the days (or hours) that the new rogue clones go undetected..."
(Charts available at the Sunbelt blog URL above.)


2011-02-02, 00:28

Rogue AVG AV on the Web...
- http://www.f-secure.com/weblog/archives/00002090.html
January 31, 2011 - "... A rogue* was recently discovered to be using AVG's logo and reputable name, hoping to mislead and trick people into purchasing the fake AV... Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011... However, users who aren't familiar with the product might not notice this difference and think that they are getting the real thing. One bit of advice — watch out for the source. Most antivirus companies provide free/trial versions of their products directly on their websites... skip the untrustworthy channel and get it directly from the AV vendors." **
(Screenshots of the rogue available at the URL above, and the blogs.technet URL below.)

* http://www.f-secure.com/v-descs/rogue_w32_rogue_antispyware.shtml

** [In this case, AVG Free legit site is: http://free.avg.com/ ]

> http://blogs.technet.com/b/mmpc/archive/2011/02/01/fakexpa_5f00_raises_5f00_a_5f00_few_5f00_brows.aspx
31 Jan 2011 6:05 PM


2011-02-21, 22:22

Fake Avira rogue...
- http://techblog.avira.com/2011/02/21/malware-signed-with-fake-avira-certificate/en/
February 21, 2011 - "... Viewing the properties of the digital signature, Microsoft Windows shows a note “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”. Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate. Stuxnet gained a lot of attention by the media because it contained a valid digital signature from “Realtek Semiconductor” which was obviously stolen by the malware authors... The malware itself is nothing new. It’s a member of the well known Zbot/ZeuS malware family which is spammed via Email. The Trojan doesn’t show new behavior of the Zbot/ZeuS authors. Upon execution it is creating a copy of itself and is deleting the original executed file; also it adds a runkey to the Windows registry in order to get started after a reboot. After this the Trojan tries to connect to the C&C Server “**ciq.net” to receive more information about targets to spy upon..."


2011-03-03, 10:55

Rogue AV different on each browser...
- http://research.zscaler.com/2011/03/new-fake-av-page-uses-firefox-internals.html
March 2, 2011 - "... new type of Fake AV page that looks different on each browser . And it also uses internal elements of those browsers... The malicious executable InstallInternetDefender_722.exe is detected* by only 9.5% of AV!... The version displayed in Firefox... looks like the security warning Firefox shows for malicious and phishing sites... the Chrome version looks like a legitimate browser warning... For Safari, only the first popup box is tailored to the browser. The main page is the same as Internet Explorer..."
(Screenshots and more detail available at the URL above.)
* http://www.virustotal.com/file-scan/report.html?id=a52344814b68b7d3a3cdd5b7fb4f73f4b4b98e0caeed9c8c85ad52ff2e05e1ce-1299087679
File name: InstallInternetDefender_722.exe
Submission date: 2011-03-02 17:41:19 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=a52344814b68b7d3a3cdd5b7fb4f73f4b4b98e0caeed9c8c85ad52ff2e05e1ce-1299190654
File name: install_internetdefender.exe
Submission date: 2011-03-03 22:17:34 (UTC)
Result: 12/43 (27.9%)


2011-03-04, 01:06

ChronoPay scareware...
- http://krebsonsecurity.com/2011/03/chronopays-scareware-diaries/
March 3, 2011 - "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments... ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning... ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft .com... As security firm F-Secure noted* at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines..."
* http://www.f-secure.com/weblog/archives/00001931.html

- http://www.f-secure.com/weblog/archives/00002112.html
March 4, 2011


2011-03-14, 11:14

Rogue AV links from tsunami in Japan...
- http://isc.sans.edu/diary.html?storyid=10543
Last Updated: 2011-03-14 08:21:18 UTC - "... people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware. We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about what’s happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world – whatever happens, their scripts will make sure that they “contain” the latest data/information about it... With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines – even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is... the current count... 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so it’s clear that the bad guys are very active... the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as we’ve all witnessed, successfully poison search engines."


2011-04-19, 15:17

Rogue AV - Easter cards...
- http://sunbeltblog.blogspot.com/2011/04/easter-cards-more-rogue-av.html
April 19, 2011 - "Looks like we have more shenanigans involving rogue AV products and Easter... Elsewhere there are malicious emails* doing the rounds - the Easter scams are in full swing..."
* http://www.net-security.org/malware_news.php?id=1698

(Screenshots available at both URLs above.)


2011-05-12, 19:19

Google doodle leads to scareware...
- http://www.h-online.com/security/news/item/Google-doodle-takes-you-to-scareware-sites-1242208.html
12 May 2011 - "... it is rare for a click on a prominently positioned Google doodle to take you to links for fake virus scans... If a user clicks on the doodle to find out what it means, Google launches a search for the term the doodle refers to... On Wednesday, Google celebrated the 117th birthday of dance icon Martha Graham. Clicking on the doodle displayed a list of preview images of the modern art dancer, some of which were links to a scareware site... At present, a search for Martha Graham on Google still displays those images. Once on the scareware site the user is then offered the SecurityScanner.exe file for download in order to solve the alleged virus problem; the file contains malware. Only 4 of the 42 scanners used by Virustotal flagged the file as being a threat at 11am on Wednesday. A test conducted by The H's associates at heise Security revealed that the scareware managed to infect a Windows 7 system with Microsoft Security Essentials 2 (MSE2) enabled. The malware disabled MSE2 and added itself to the security centre as "Win 7 Home Security 2011" – and labelled itself as disabled. Users are then asked to pay €60 to activate it.
The infected system could no longer be used in any meaningful way. Warnings constantly popped up whenever any web page was visited regardless of which browser was used. The program does not appear on the list of installed software and therefore cannot be uninstalled easily. In similar cases, scareware could, with a lot of effort, be manually removed, but this software changed so many settings in the system that reinstalling Windows was the safest solution."

- http://blog.stopbadware.org/2011/04/29/fake-av-a-royal-wedding-present
2011.04.29 - "... we have no reason to believe the site’s legitimate owners intended for this URL to exist. Rather, an attacker appears to have exploited a weakness in the site’s security model and inserted a -redirect- for the URL... the payload from this attack can be extremely annoying and costly — it makes the PC all but unusable — this sort of attack is certainly not of the most sophisticated or technically dangerous variety. A user who does -not- download or run the Fake AV executable does not appear to suffer compromise..."
> http://www.virustotal.com/file-scan/report.html?id=153b6cd95b6c2847bf03e4df91225babd70c74de08ee39d64d216707176b884b-1304097780
File name: SecurityScanner.exe
Submission date: 2011-04-29 17:23:00 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report ...
- http://www.virustotal.com/file-scan/report.html?id=153b6cd95b6c2847bf03e4df91225babd70c74de08ee39d64d216707176b884b-1305388325
File name: 7978e13ab11b027fb22b6cb4ec16dd3f
Submission date: 2011-05-14 15:52:05 (UTC)
Result: 32/43 (74.4%)

:fear: :mad:

2011-05-17, 15:01

Scareware fakes HD failures...
- http://www.symantec.com/connect/fr/blogs/trojan-feigns-failures-increase-rogue-defragger-sales
16 May 2011 - "... Hard disk failures are a fact of life... Trojan.FakeAV writers are aware of this, and the end of last year saw a move by some into the creation of fake hard disk scanners and defragmentation tools... Trojan.Fakefrag. What sets this apart from standard fake disk cleanup utilities is that the Trojan makes changes on the computer and displays messages that make it appear as though the hard disk is failing. Then it drops a member of the UltraDefragger family called Windows Recovery, which offers to repair these disk errors for a mere $79.50!...
• It fakes hardware failure messages...
• It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
• It stops you from changing your background image.
• It disables the Task Manager.
• It sets both the “HideIcons” and “Superhidden” registry entries to give the impression that more icons have been deleted.
... the failure messages look just like something Windows would display..."
(Screenshots, video, and more detail available at the Symantec URL above.)

New scareware - charted
- http://blogs.mcafee.com/wp-content/uploads/2011/05/FP_BLOG_110513_2.jpg
May 13, 2011

:mad: :fear:

2011-05-19, 06:03

Fake AV bingo - 165 domains of bad
- http://isc.sans.org/diary.html?storyid=10894
Last Updated: 2011-05-19 00:06:54 UTC ...(Version: 2) - "Can you guess which domains the crooks behind the Fake Anti-Virus Scam are going to use next ? Well, neither can we. But for several weeks now, they are hosting a lot of their bad stuff out of, geo-located in... Russia... all in all 165 domains of badness.
Several of these domains were "found" by our readers via the poisoned Google image searches* that we reported earlier this month, and also via malicious advertisements embedded in perfectly benign web pages...
Fake AV has made its appearance on Macs**, where naive automatic download-and-run default settings in browsers still are common, and where "MacDefender" and its expected numerous successors and variants are likely to become as "successful" for the bad guys as their Windows version has been for years..."
* http://isc.sans.edu/diary.html?storyid=10822
** http://isc.sans.edu/diary.html?storyid=10813


2011-05-20, 15:45

Mac Fake AV...
- http://news.cnet.com/8301-27080_3-20064394-245.html
May 19, 2011 - "Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need. This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market... Mac Defender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware..."

- http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/

- http://download.cnet.com/8301-2007_4-20064445-12.html
May 19, 2011 - "... On any platform, rogue antivirus programs are resistant to standard program removal procedures. This means you can't just drag one to the trash..."
(More detail on removal procedures at the above URL.)

- http://www.h-online.com/security/news/item/Mac-scareware-becomes-more-visible-Update-1246693.html
20 May 2011 - "... Users of the Safari web browser should disable automatic file opening in Safari (Preferences -> General and uncheck "Open 'safe' files after downloading"). More importantly though, users should, when prompted for their user name and password, be asking themselves "what is requesting this information" and remembering that they are giving it privileges to modify their system..."


2011-05-25, 13:51

Apple advisory on "MacDefender" malware
- http://isc.sans.edu/diary.html?storyid=10918
Last Updated: 2011-05-25 00:05:17 UTC

- http://support.apple.com/kb/HT4650
May 24, 2011 - "... Products Affected:
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5..."

Safari "Force Quit"
- http://support.apple.com/kb/ht3411


2011-05-26, 12:59

MacDefender variant changes tactics...
- http://isc.sans.edu/diary.html?storyid=10927
Last Updated: 2011-05-26 08:11:01 UTC - "MacDefender... has upped the ante with a new version according to Intego* that does not need to ask the user's password any longer... it's not using an exploit to avoid asking the right to write in the /Applications directory, it simply installs the software and activates it for the current use only. Since most macs are using only a single user that changes little for the malware. But it removes the pop-up for your password. Anybody in the admin group can write to the /Applications directory..."
* http://www.intego.com/news/new-mac-defender-variant-macguard.asp
May 25, 2011 - "... effective SEO poisoning has led many Mac users to this type of malware, and no administrator password is required to install this new variant..."

:fear: :mad: :fear:

2011-05-31, 18:48

Fake Firefox SCAM leads to scareware...
- http://nakedsecurity.sophos.com/2011/05/30/fake-firefox-warnings-lead-to-scareware/
May 30, 2011 - "... latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser... Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window... We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices. If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program..."
(Screenshots available at the Sophos URL above.)


2011-06-06, 22:11

FakeRean - turns hard-core ...
- http://sunbeltblog.blogspot.com/2011/06/fakerean-comes-of-age-turns-hard-core.html
June 06, 2011 - "FakeRean was initially discovered by Microsoft* a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system's registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run... page is found on SourceForge.net, a prominent repository of open-source software, as a profile page... get a free but malicious software to download and run on your systems once you click -any- of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen... This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac... All URLs are -redirect- via seoholding(dot)com... Be extra careful, if not steer clear all together, when visiting online profiles hosted on any site that -looks- suspicious."
(Screenshots available at the sunbeltblog URL above.)
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fFakeRean


2011-06-21, 13:11

Malware campaign injects Java exploit code
- http://community.websense.com/blogs/securitylabs/archive/2011/06/20/malware-campaign-uses-direct-injection-of-java-exploit-code.aspx
20 Jun 2011 - "... detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages... attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera... The payload in this case is the nowadays ubiquitous Rogue Antivirus. In case you haven't already done so, don't forget to update your Java version* as soon as possible."
(Screenshots available at the Websense URL above.)
* http://www.java.com/en/download/index.jsp


2011-06-23, 13:49

DoJ indictments - scareware distribution...
- http://www.fbi.gov/news/pressrel/press-releases/department-of-justice-disrupts-international-cybercrime-rings-distributing-scareware
June 22, 2011 - "... The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years. The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans. Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129. An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses. Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership. A -second- international crime ring disrupted by Operation Trident Tribunal relied on online advertising to spread its scareware products, a tactic known as “malvertising.” An indictment unsealed today in U.S. District Court in Minneapolis charges the two operators of this scareware scheme with two counts of wire fraud, one count of conspiracy to commit wire fraud and computer fraud... avoid purchasing computer security products that use unsolicited “free computer scans” to sell their products. It is also important for users to protect their computers by maintaining an updated operating system and using legitimate, up-to-date antivirus software, which can detect and remove fraudulent scareware products..."

- http://www.theregister.co.uk/2011/06/23/fbi_scareware_arrests/
23 June 2011 - "... The Feds worked with police in Cyprus, Germany, Latvia, Ukraine, France, Romania, the Mounted Police in Canada and London's Met Police."

- http://www.theinquirer.net/inquirer/news/2081147/fbi-smacks-transatlantic-botnet
23 June 2011

- http://krebsonsecurity.com/2011/06/72m-scareware-ring-used-conficker-worm/
June 23, 2011 - "... The New York Times reported* that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation*. The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation..."
* http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

:fear: :mad: :spider: