Rogue AV/AS prolific

[AplusWebMaster]

AV 2009 snippet found...

This is a real beauty:

Russians don't infect themselves...
- http://sunbeltblog.blogspot.com/2009/01/russian-don-infect-themselves.html
January 21, 2009 - "Little snippet found in Antivirus 2009...
00420174 - Bot started.
0042018C - App name:
004201A0 - Exe name:
004201B4 - Bot ID:
004201C8 - Wait before activate:
004201E8 - Sleep period:
00420200 - Popup URL:
00420214 - Don`t install on Rus:
00420234 - Russian or Ukrainian Windows detected. Exiting ... <<<
0042027C - Looking for XP antivirus
004202A0 - Software\XP Antivirus\Options\AdvancedScan
004202D4 - Key =
004202E4 - XP antivirus detected
00420304 - Unregistering toolbar
00420324 - Unregistering self ..."

 

[AplusWebMaster]

Anti-virus-1 new rogue anti-spyware...

FYI...

Anti-virus-1 new rogue anti-spyware...
- http://www.bleepingcomputer.com/malware-removal/anti-virus-1-removal
February 18, 2009 - "Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer... When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer's control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program... Tools Needed for this fix: Malwarebytes' Anti-Malware* ..."
* http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

(Screenshots and more detail available at the first URL listed above.)

:fear::spider:

 

[AplusWebMaster]

eWeek Hacked with drive-by download // Anti-Virus-1...

FYI...

eWeek Hacked with drive-by download - Anti-Virus-1...
- http://securitylabs.websense.com/content/Alerts/3310.aspx
02.24.2009 - " Websense... has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors...
Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe. eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp ://[removed]inside .com/ - Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server. With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads. The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp ://[removed]-site .info/ which has been setup to collect payment details..."

:fear:

 

[AplusWebMaster]

Drive-by sites on the increase...

FYI...

- http://atlas.arbor.net/briefs/index#-1039902162
March 03, 2009 - "Over the past year or so we have been seeing a large number of "rogue AV" products being installed in drive-by sites. This is a scam program, designed to fool users into paying for software they don't need. The program will announce that the user is infected with malware and then demand $40 to remove the infection. This kind of application is usually well detected by legitimate AV software.
Analysis: This is a classic scareware program with a twist, and is usually installed without the owner's consent. We have seen a variety of tricks to get this installed on users' PCs. We encourage all sites to make sure they are not affected by this issue.
Source: http://www.f-secure.com/v-descs/rogue_w32_xpantivirus.shtml
"...large rogueware family. Members of the XPAntivirus family are distributed under several different names, including:
• XP Antivirus
• Antivirus 2009
• Antivirus 2010
• Antivirus 360 ..."

:fear::spider:

 

[AplusWebMaster]

New rogues and other ugly things...

FYI...

New rogue: Antispyware Pro 2009
- http://sunbeltblog.blogspot.com/2009/03/new-rogue-antispyware-pro-2009.html
March 08, 2009

New rogue: Malware Defender 2009
- http://sunbeltblog.blogspot.com/2009/03/new-rogue-malware-defender-2009.html
March 06, 2009 - "Malware Defender 2009 is a new rogue security product and a clone of System Guard 2009..."

(Screenshots available at both URLs above.)

Tornado Malware Kit
- http://atlas.arbor.net/briefs/index#1440121766
March 06, 2009 - "...This is a specific instance of such a drive by kit but demonstrates the current technology that is being sold and delivered on the Internet.
Analysis: These kits have been in used for well over a year and are responsible for many of the drive by downloads we see on the Internet these days.
Source: http://www.secureworks.com/research/blog/index.php/2009/3/5/tornado-malware-kit/
March 5, 2009 - "...Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits..."

:fear:

 

[AplusWebMaster]

More rogues...

FYI... More rogues...

- http://sunbeltblog.blogspot.com/2009/03/new-rogue-security-products.html
March 14, 2009 - "General Antivirus and Personal Antivirus are the new clones of Internet Antivirus Pro rogue security product..."

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-031311-4206-99&tabid=2
March 13, 2009
Name: System Guard 2009
Publisher: System Guard
...The program reports false or exaggerated system security threats on the computer.

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-031117-4351-99&tabid=2
March 11, 2009
Name: Virus Melt
Publisher: iSystems Inc.
...The program reports false or exaggerated system security threats on the computer.

(Screenshots available at above URLs.)

:fear:

 

[AplusWebMaster]

Antivirus2009 ransomware...

FYI...

Antivirus2009 ransomware...
- http://preview.tinyurl.com/df8n2t
March 20, 2009 Security Fix/Brian Krebs - "... this version of Antivirus2009 encrypts or scrambles contents of documents... so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder... The good news is the nice folks over at BleepingComputer.com*, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back. But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service** where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder. This is the first time I've ever heard of scareware being bundled with so-called "ransomware"..."

* http://www.bleepingcomputer.com/forums/topic212357.html

** http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

- http://www.pcworld.com/article/161649/crooks_flock_to_rogue_antivirus_apps.html
Mar 20, 2009 - "...According to the Antiphishing Working Group*, the number of fake security programs skyrocketed from average of around 2,500 per month to 9,287 in December..."
* http://www.antiphishing.org/reports/apwg_report_H2_2008.pdf

 

[AplusWebMaster]

Trafficconverter takedown...

FYI...

Trafficconverter takedown...
- http://www.f-secure.com/weblog/archives/00001631.html
March 20, 2009 - "One of the more notorious pay-per-install programs, Trafficconverter has been taken down today. These sites work like this:
1. Trafficconverter developes a "rogue" antivirus product
2. The product will find viruses even on clean systems
3. It won't "clean" those viruses unless you register the product
4. Trafficconverter does not market their software at all
5. Instead, all the marketing is done through affiliates
6. Affiliates have existing botnets of thousands of infected computers
7. They remotely install these rogue products to those computers
8. Confused end users see warning messages about viruses on their screens
9. ...and register the rogue product for $50 to "fix" their machine
10. Affiliates get $30 per customer, Trafficconverter get $20
11. ?? ...
12. PROFIT!
...So, it's good to see these guys going offline. Kudos to Brian Krebs*!"
* http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html
March 16, 2009
- http://voices.washingtonpost.com/securityfix/2009/03/sunlight_disinfects_rogue_anti.html
March 20, 2009

(Screenshots available at all above URLs.)

:fear:

 

[AplusWebMaster]

Trafficconverter takedown - Downadup motivations...

FYI...

Trafficconverter takedown - Downadup motivations
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/254
03-23-2009 - "As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes. The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp ://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines..."

//
- http://centralops.net/co/DomainDossier.aspx
Domain Name: TRAFFICCONVERTER.BIZ ...
Registrant Country Code: GB ...
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
Created by Registrar: ESTDOMAINS INC ...
//
:fear:

 

[AplusWebMaster]

Ransomeware...

Some references from prior post in this thread:
- http://forums.spybot.info/showpost.php?p=298697&postcount=27

Xrupter -aka- Vundo ...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/255
03-24-2009 - "Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo(1). Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter(2). This Trojan performs a search in the My Documents folders of your hard drive... This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised. Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available... If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted... The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files... If you need this fix tool, you can download it here*."

(Screenshots available at the URL above.)

1) http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99

2) http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-032207-0838-99&tabid=1

* http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixXrupter.exe

:fear::fear:

 

[AplusWebMaster]

Conficker hype used by rogue gangs

FYI...

Conficker hype used by rogue gangs
- http://www.f-secure.com/weblog/archives/00001639.html
March 30, 2009 - "... We found out that rogue security software folks have picked up on this. For example, lets have a look at remove-conficker .org, a domain which was registered today... They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC - only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it. When it did find something that it claimed to be malware... And then it asked us to register and pay $39.95 for the removal functionality... When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well... Like AdwareAlert and AntiSpy2009 It's clear that it's an affiliate program going on..."

(Screenshots available at the F-secure URL above.)

:fear:

 

[AplusWebMaster]

More Conficker rogue AV...

FYI...

More Conficker rogue AV...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/173
04-02-2009 - "We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these SPAM messages even use names and images of software much like our own Norton AntiVirus 2009... it even mentions the name of one of our Symantec employees frequently cited in the press... In an attempt to increase financial gain, the product website is made to look like the product is one of our Norton consumer security solutions, by using the AntiVirus 2009 name and even comparing itself with other antivirus solutions such as Spybot, Kaspersky, and AVG... After clicking on the link inside the message, we find that it redirects to a website where the user is promptly given directions on how to make a payment. Whether or not any product will be made available after the payment is made is still unknown at this point. Even if it were, its effectiveness would be questionable because it will most likely be a rogue application or pirated software."
(Screenshots available at the Symantec URL above.)

:fear:

 

[AplusWebMaster]

Rogue AV on 10M machines...

FYI...

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=216403298
April 8, 2009 - "Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR)*... Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark..."
* http://www.microsoft.com/sir

:fear:

 

[AplusWebMaster]

New rogues...

FYI...

New rogue: P Antispyware 09
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-p-antispyware-09.html
April 14, 2009 - "P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products."

New rogue: Antivirus'09
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-antivirus.html
April 15, 2009 - "Antivirus'09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application."

(Screenshots available at both URLs above.)

:fear:

 

[AplusWebMaster]

New rogue: AV Antispyware

FYI...

New rogue: AV Antispyware
- http://sunbeltblog.blogspot.com/2009/04/new-rogue-av-antispyware.html
April 19, 2009 - "AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products... Sites Involved:
64.191.12.38 Av-antispyware com
195.88.81.74 Files scanner-antispy-av-files com
195.88.81.116 dl scan-antispy-4pc com
195.88.80.207 Int reporting32 com ..."

(Screenshot available at the URL above.)

:fear::fear:

 

[AplusWebMaster]

Rogue AV projected growth in 2009

FYI...

- http://preview.tinyurl.com/cqv4se
23 April 09 - PandaLabs blog - "... Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008... PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3*... Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide**."

* (Chart available at the URL above.)

** http://codex.wordpress.org/Hardening_WordPress

:fear::fear:

 

[AplusWebMaster]

Rogue Browser Agents

FYI...

- http://www.f-secure.com/weblog/archives/00001684.html
May 18, 2009 - "How big an issue are Rogue antivirus applications? Let's take a look. What is your browser's user agent? Any ideas? The Firefox browser should look something like this: You can determine yours from http://whatsmyuseragent.com . Now let's take a look at this user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Do you see it? Right there in the middle, "AntivirXP08". What is that all about? Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website. Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue. How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08. 63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009". It's a small measure of a very large problem."

(Screenshot available at the F-secure URL above.)

:fear::fear:

 

[AplusWebMaster]

Rogue AV hosted in USA...

FYI...

Rogue AV hosted in USA...
- http://sunbeltblog.blogspot.com/2009/06/cavalcade-of-malware-hosted-right-here.html
June 15, 2009 - "Contrary to popular belief, not all malware is hosted in Eastern Europe or China. In fact, there’s a whole bucketload of malware hosted in Scranton, PA. Here are malware domains associated with IP 64.191.92.197..."

(Long list and screenshots available at the URL above.)

:fear::spider:

 

[AplusWebMaster]

Rogue AV terminates EXE files

FYI...

Rogue AV terminates EXE files
- http://blog.trendmicro.com/rogue-antivirus-terminates-exe-files/
July 26, 2009 - "This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price). This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute... This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes. Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV..."

(Screenshot available at the URL above.)

:fear:

 

[AplusWebMaster]

Malicious Twitter posts get more personal

FYI...

Malicious Twitter Posts Get More Personal
- http://blog.trendmicro.com/malicious-twitter-posts-get-more-personal/
July 27, 2009 - "... malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes. A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashion them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then posts tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used... the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter. Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product... in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use... Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be Grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories..."

(Screenshots available at the URL above.)

- http://ddanchev.blogspot.com/2009/07/diverse-portfolio-of-fake-security_27.html
July 27, 2009