Page 3 of 9 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 86

Thread: Rogue AV/AS prolific

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down AV 2009 snippet found...

    This is a real beauty:

    Russians don't infect themselves...
    - http://sunbeltblog.blogspot.com/2009...hemselves.html
    January 21, 2009 - "Little snippet found in Antivirus 2009...
    00420174 - Bot started.
    0042018C - App name:
    004201A0 - Exe name:
    004201B4 - Bot ID:
    004201C8 - Wait before activate:
    004201E8 - Sleep period:
    00420200 - Popup URL:
    00420214 - Don`t install on Rus:
    00420234 - Russian or Ukrainian Windows detected. Exiting ... <<<

    0042027C - Looking for XP antivirus
    004202A0 - Software\XP Antivirus\Options\AdvancedScan
    004202D4 - Key =
    004202E4 - XP antivirus detected
    00420304 - Unregistering toolbar
    00420324 - Unregistering self ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Anti-virus-1 new rogue anti-spyware...

    FYI...

    Anti-virus-1 new rogue anti-spyware...
    - http://www.bleepingcomputer.com/malw...irus-1-removal
    February 18, 2009 - "Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer... When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer's control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program... Tools Needed for this fix: Malwarebytes' Anti-Malware* ..."
    * http://download.bleepingcomputer.com...mbam-setup.exe

    (Screenshots and more detail available at the first URL listed above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down eWeek Hacked with drive-by download // Anti-Virus-1...

    FYI...

    eWeek Hacked with drive-by download - Anti-Virus-1...
    - http://securitylabs.websense.com/con...erts/3310.aspx
    02.24.2009 - " Websense... has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors...
    Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe. eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp ://[removed]inside .com/ - Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server. With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads. The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp ://[removed]-site .info/ which has been setup to collect payment details..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Drive-by sites on the increase...

    FYI...

    - http://atlas.arbor.net/briefs/index#-1039902162
    March 03, 2009 - "Over the past year or so we have been seeing a large number of "rogue AV" products being installed in drive-by sites. This is a scam program, designed to fool users into paying for software they don't need. The program will announce that the user is infected with malware and then demand $40 to remove the infection. This kind of application is usually well detected by legitimate AV software.
    Analysis: This is a classic scareware program with a twist, and is usually installed without the owner's consent. We have seen a variety of tricks to get this installed on users' PCs. We encourage all sites to make sure they are not affected by this issue.
    Source: http://www.f-secure.com/v-descs/rogu...ntivirus.shtml
    "...large rogueware family. Members of the XPAntivirus family are distributed under several different names, including:
    • XP Antivirus
    • Antivirus 2009
    • Antivirus 2010
    • Antivirus 360 ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New rogues and other ugly things...

    FYI...

    New rogue: Antispyware Pro 2009
    - http://sunbeltblog.blogspot.com/2009...-pro-2009.html
    March 08, 2009

    New rogue: Malware Defender 2009
    - http://sunbeltblog.blogspot.com/2009...nder-2009.html
    March 06, 2009 - "Malware Defender 2009 is a new rogue security product and a clone of System Guard 2009..."

    (Screenshots available at both URLs above.)

    Tornado Malware Kit
    - http://atlas.arbor.net/briefs/index#1440121766
    March 06, 2009 - "...This is a specific instance of such a drive by kit but demonstrates the current technology that is being sold and delivered on the Internet.
    Analysis: These kits have been in used for well over a year and are responsible for many of the drive by downloads we see on the Internet these days.
    Source: http://www.secureworks.com/research/...o-malware-kit/
    March 5, 2009 - "...Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits..."

    Last edited by AplusWebMaster; 2009-03-08 at 14:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down More rogues...

    FYI... More rogues...

    - http://sunbeltblog.blogspot.com/2009...-products.html
    March 14, 2009 - "General Antivirus and Personal Antivirus are the new clones of Internet Antivirus Pro rogue security product..."

    - http://www.symantec.com/business/sec...206-99&tabid=2
    March 13, 2009
    Name: System Guard 2009
    Publisher: System Guard
    ...The program reports false or exaggerated system security threats on the computer.

    - http://www.symantec.com/business/sec...351-99&tabid=2
    March 11, 2009
    Name: Virus Melt
    Publisher: iSystems Inc.
    ...The program reports false or exaggerated system security threats on the computer.

    (Screenshots available at above URLs.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Antivirus2009 ransomware...

    FYI...

    Antivirus2009 ransomware...
    - http://preview.tinyurl.com/df8n2t
    March 20, 2009 Security Fix/Brian Krebs - "... this version of Antivirus2009 encrypts or scrambles contents of documents... so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder... The good news is the nice folks over at BleepingComputer.com*, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back. But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service** where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder. This is the first time I've ever heard of scareware being bundled with so-called "ransomware"..."

    * http://www.bleepingcomputer.com/forums/topic212357.html

    ** http://blog.fireeye.com/research/200...scareware.html

    - http://www.pcworld.com/article/16164...irus_apps.html
    Mar 20, 2009 - "...According to the Antiphishing Working Group*, the number of fake security programs skyrocketed from average of around 2,500 per month to 9,287 in December..."
    * http://www.antiphishing.org/reports/...rt_H2_2008.pdf

    Last edited by AplusWebMaster; 2009-03-20 at 22:27. Reason: Added PCWorld, APWG report links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs up Trafficconverter takedown...

    FYI...

    Trafficconverter takedown...
    - http://www.f-secure.com/weblog/archives/00001631.html
    March 20, 2009 - "One of the more notorious pay-per-install programs, Trafficconverter has been taken down today. These sites work like this:
    1. Trafficconverter developes a "rogue" antivirus product
    2. The product will find viruses even on clean systems
    3. It won't "clean" those viruses unless you register the product
    4. Trafficconverter does not market their software at all
    5. Instead, all the marketing is done through affiliates
    6. Affiliates have existing botnets of thousands of infected computers
    7. They remotely install these rogue products to those computers
    8. Confused end users see warning messages about viruses on their screens
    9. ...and register the rogue product for $50 to "fix" their machine
    10. Affiliates get $30 per customer, Trafficconverter get $20
    11. ?? ...
    12. PROFIT!
    ...So, it's good to see these guys going offline. Kudos to Brian Krebs*!"
    * http://voices.washingtonpost.com/sec...rogue_ant.html
    March 16, 2009
    - http://voices.washingtonpost.com/sec...ogue_anti.html
    March 20, 2009

    (Screenshots available at all above URLs.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Trafficconverter takedown - Downadup motivations...

    FYI...

    Trafficconverter takedown - Downadup motivations
    - https://forums2.symantec.com/t5/blog...article-id/254
    03-23-2009 - "As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes. The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp ://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines..."

    //
    - http://centralops.net/co/DomainDossier.aspx
    Domain Name: TRAFFICCONVERTER.BIZ ...
    Registrant Country Code: GB ...
    Name Server: NS1.SUSPENDED-DOMAIN.COM
    Name Server: NS2.SUSPENDED-DOMAIN.COM
    Created by Registrar: ESTDOMAINS INC ...
    //
    Last edited by AplusWebMaster; 2009-03-24 at 12:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Ransomeware...

    Some references from prior post in this thread:
    - http://forums.spybot.info/showpost.p...7&postcount=27

    Xrupter -aka- Vundo ...
    - https://forums2.symantec.com/t5/blog...article-id/255
    03-24-2009 - "Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo(1). Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter(2). This Trojan performs a search in the My Documents folders of your hard drive... This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised. Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available... If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted... The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files... If you need this fix tool, you can download it here*."

    (Screenshots available at the URL above.)

    1) http://www.symantec.com/security_res...112111-3912-99

    2) http://www.symantec.com/business/sec...838-99&tabid=1

    * http://www.symantec.com/content/en/u...FixXrupter.exe

    Last edited by AplusWebMaster; 2009-03-25 at 19:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •