Sunday, December 30, 2007

HAPPY NEW YEAR 2008

HAPPY NEW YEAR 2008



I wish you all a Prosperous and Happy New Year 2008.

Bharath M N

New Scam Strategy

[Edited]

Removed this blog

Wednesday, December 26, 2007

FILES-SECURE.COM

FILES-SECURE.COM



File –Secure is a new rogue Security application from the family of IE Defender.

File –Secure Rogue security application stealthily installs after installing a dubious codec installer called videomp3_setup*.


Snapshot of Files-Secure Application

The site details:
Registrar: ESTDOMAINS, INC.
IP Address: 85.255.119.92
Name Server: NS1.FILES-SECURE.COM
Name Server: NS2.FILES-SECURE.COM

Warning message from the app:

VirusTotal Scan Result: 2/32 (6.25%)

eSafe 7.0.15.0 2007.12.25 suspicious Trojan/Worm
Kaspersky 7.0.0.125 2007.12.26 not-a-virus:FraudTool.Win32.IeDefender.ag

Stay away from this Rogue security application.

Bharath M N

Saturday, December 22, 2007

Immunizr.com

Immunizr.com

Immunizr is another Rogue Security application. This is yet another rogue application from the spywareNo family of rogue security application.

The site uses the IP 69.50.166.50 and the setup file Immunizr is not detected as rogue security application from any of the scanners on VirusToal.
Stay away from Rogue security applications.
Bharath MN

WinSpykiller.com

WinSpykiller.com

WinSpykiller is a Rogue Security application. This is another rogue application from the spywareNo family of rogue security application.

This is the ninth rogue security application from spywareNo family in December. If you closely look at all the nine sites you will find the same information displayed on all the pages.

The site uses the IP 69.50.166.51 and the interesting factor is that none of the security applications in VirusTotal detects this rogue security application.


Stay away from Rogue security applications.

Bharath MN

Sunday, December 16, 2007

New Zlob Trojan Site

New Zlob Trojan Site


Site: Pmffprogram.com
IP: 85.255.113.234
Registrar: ESTDOMAINS, INC.

Virustotal Scan Result: 10/32 (31.25%)
AntiVir 7.6.0.45 2007.12.14 DR/Zlob.Gen
Avast 4.7.1098.0 2007.12.15 Win32:Zlob-AHS
AVG 7.5.0.503 2007.12.15 Downloader.Zlob.LI
BitDefender 7.2 2007.12.15 Trojan.Zlob.BZM
ClamAV 0.91.2 2007.12.15 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2007.12.15 Trojan.Popuper.origin
Microsoft 1.3109 2007.12.15 TrojanDownloader:Win32/Zlob.gen!AL
Prevx1 V2 2007.12.15 Downloader.Zlob.LI
Sophos 4.24.0 2007.12.15 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2007.12.15 Trojan.Dropper.Zlob.Gen

Stay away from this site.

Bharath M N

Friday, December 14, 2007

wincodecdownload.com

Wincodecdownload.com

Another malicious domain. The setup file available on the site is malicious. The setup file installs a malicious BHO which displays the following image below the browser address bar.


BHO Details:

Filename: IECodec.dll
Hijack this entry:
O2 - BHO: IECodecBHO - {4507C219-24AA-4813-9561-A2003F9920C3} - C:\Program Files\IECodec\IECodec.dll


Screeenshot taken after installing the malicious setup file.

Once you click on the link provided in the image it takes you to privacy-tower.com website. The site uses a scare scan tactics to scare the users into purchasing a rogue security application.

The site privacy-tower.com uses the IP address 206.161.200.43, which then redirects users into downloading Anti-Virus-Pro (from anti-virus-pro.com) a well documented Rogue security application.

The Privacy-Scanner.com and PrivacyTower.com are clone sites of privacy-tower.com which also redirects users into downloading Anti-Virus-Pro

Privacy-Scanner.com\PrivacyTower.com\Privacy-Tower.com Scare scan page
Further site vscodecsupport.com (203.121.111.143) works as a data repository for wincodecdownload.com.

Currently none of the security applications on Virustotal flags the setup file as malicious.

Only two scanners detect the BHO as malicious.

Virustotal scan Result: 2/32 (6.25%)

AntiVir 7.6.0.45 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware


Stay away from these sites.

Bharath M N

Spyware-Sweeper.Net

Spyware-Sweeper.Net



Yet another Spysheriff Clone. This site distributes Rogue security application. The application exploits “Webroot” Spy-sweeper name.

Snapshot of Spyware-Sweeper Application


Vitustotal Scan Result: 10/32 (31.25%)


AhnLab-V3 2007.12.14.10 2007.12.13 Win-Trojan/Bravesent.39424
CAT-QuickHeal 9.00 2007.12.13 FraudTool.SpySheriff.f (Not a Virus)
Ikarus T3.1.1.15 2007.12.13 Application.Win32.AdWare.SpySheriff
Kaspersky 7.0.0.125 2007.12.13 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.13 Program:Win32/SpySheriff
NOD32v2 2721 2007.12.13 a variant of Win32/Adware.SpySheriff
Panda 9.0.0.4 2007.12.13 Suspicious file
Prevx1 V2 2007.12.13 ADWARE.SPYSHERIFF.E
Sophos 4.24.0 2007.12.13 Troj/Spywad-Gen
VirusBuster 4.3.26:9 2007.12.13 Adware.SpySherif.Gen.2


Stay away from Rogue security applciations.


Bharath M N

Monday, December 10, 2007

Scanner Pages are Live now!!!

Scanner Pages are Live now!!!


The malware scanner page for the Rogue security applications Dr-Protection, Guard-Center, Killspy, Liveantispy, LiveProtection, Online-Guard and Stopingspy are Live. The scanner page uses the scare tactics to scare the users into purchasing the Rogue security application. Don’t fall into the cheap trick and loose your money. All the scan pages share the same IP address 58.65.238.131.


Dr-Protection Fake Scanner Page


Guard-Center Fake Scanner Page

Killspy Fake Scanner Page


Liveantispy Fake Scanner Page



Liveprotection Fake Scanner Page


Online-Guard Fake Scanner Page


Stopingspy Fake Scanner Page


Virustotal Scan Result: 7/32 (21.88%)

AVG 7.5.0.503 2007.12.10 Downloader.Small.BAP
DrWeb 4.44.0.09170 2007.12.10 Trojan.Fakealert
Kaspersky 7.0.0.125 2007.12.10 Heur.Trojan.Generic
Microsoft 1.3007 2007.12.10 TrojanDownloader:Win32/Renos.gen!Y
NOD32v2 2713 2007.12.10 probably unknown NewHeur_PE virus
Panda 9.0.0.4 2007.12.09 Suspicious file
Prevx1 V2 2007.12.10 Downloader.Drev.A

Stay away from Rogue security applications

Bharath M N
(Thanks to Patrick Jordan)

Saturday, December 8, 2007

freemoviepro.com

Freemoviepro.com
A malicious domain that spams, the download available on the site installs a malicious BHO.
The image displayed on the site:

BHO Details:

Filename: wbspark.dll
Hijack this entry: O2-BHO: wbspark - (BC42164F-2C53-1B42-1563-1A7624A24C11) - C: \WINDOWS\system32\wbspark.dll

SunBelt SandBox Result


Virustotal Scan Result: 18/32 (56.25%)


Stay away from this site.
Bharath M N

Thursday, December 6, 2007

Three More Malicious Domains

More Malicious Domains


Three More Malicious Domains on 58.65.238.130

Killspy.org
Liveprotection.net

Stopingspy.com


A few days back I had written about the four malicious sites on the server 58.65.238.130. Link

Now the server is hosting seven malicious sites distributing Rogue Security applications. The entire list:

1. Dr-protection.com
2. Guard-center.com
3. Killspy.org
4. Liveantispy.com
5. Liveprotection.net
6. Online-guard.net
7. Stopingspy.com

The download from three new sites was submitted to visrutotal.com and here are the results:

Virustotal Scan Result: 5/32 (15.63%)

AhnLab-V3 2007.12.6.2 2007.12.06 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.12.06 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.06 Program:Win32/SpySheriff
Sophos 4.24.0 2007.12.06 Troj/DrProt-Gen
VirusBuster 4.3.26:9 2007.12.06 Adware.SpySherif.Gen.2

As you can see the detections are poor stay away from all these sites.

Bharath MN

AntiSpy-Pro.com

AntiSpy-Pro.com


This is a new rogue security application which is successor of IE Defender Rogue security application. The AntiSpy-Pro is an exact clone of IE Defender rogue security application.



IE Defender has a history of stealthily installing on the user system when they install Zlob codec. So AntiSpy-Pro will be the next Rogue security application that will be advertised through Zlob Trojans.




Snapshot of AntiSpy-Pro Application


The site details:
IP Address: 85.255.121.149
created on 2007-11-15
Name Servers: ns1.antispy-pro.com
ns2.antispy-pro.com

Warning message from the app:

If AntiSpy-Pro stealthily installs on your system then it’s sure that your system is infected by Zlob Trojan.

VirusTotal Scan Result: 3/32 (9.38%)

ClamAV - - Adware.Fakealert-21
Kaspersky - - not-a-virus:FraudTool.Win32.IeDefender.j
VBA32 - - suspected of Backdoor.Delf.180 (paranoid heuristics)

Stay away from this Rogue security application.

Bharath M N

Saturday, December 1, 2007

List of Malicious Domains

List of Malicious Domains
ghktoolkit.com - > Zlob trojan distributing site
zxcsolution.com -> Zlob trojan distributing site
codectime.com -> DNS Changer distributing site
codecvids.com -> Zlob trojan distributing site
217.20.122.32 -> a bunch of malicious files hosted on the site
Detection of the malicious files distributed by these sites are really poor.
Stay away from these sites...
Bharath M N

Tuesday, November 27, 2007

Yet another bunch of Rogue Security applications

Yet another bunch of Rogue Security applications


Currently there are four websites distributing clone of SpySheriff Rogue Security application. All the domains share the same IP address 58.65.238.130

Dr-protection.com



Application Screen Shot of Dr-protection


Guard-center.com

Application Screen Shot of Guard-center


Liveantispy.com



Application Screen Shot of Liveantispy



Online-guard.net

Application Screen Shot of Online-guard



Virus total Scan Results:

AhnLab-V3 2007.11.27.1 2007.11.27 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.11.27 not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster 4.3.26:9 2007.11.26 Adware.SpySherif.Gen.2

Detection of these Rogue security applications are poor, Stay away from these sites.

Bharath M N

Tuesday, November 20, 2007

Deuscleaneronline.com

Deuscleaneronline.com


Another Rogue Security application which looks similar to Drive Cleaner Application; The site uses the scare scan tactics to scare the user into purchasing the rogue application. The site registrar is ESTDOMAINS and it uses the IP 24.244.171.69 which is used by other malicious sites.

Detection of the Rogue is really poor. Avoid it at all cost...

Bharath M N

Monday, November 19, 2007

Another List of Zlob distributing Sites

Another List of Zlob Trojan distributing Sites
Stvfirm.com (85.255.118.179)
Ictmanufacture.com (85.255.113.234)
Ocnservice.com (85.255.115.178)
Xvsenterprise.com (85.255.115.179)
Bsplaycodec.com (64.28.184.180)
Detection of the installer from these sites is poor. Stay away from these sites.

Bharath M N

Saturday, November 17, 2007

ElseIf.biz

ElseIf.biz



Yet another site that is used to distribute Zlob Trojan; The site main page states that the domain is suspended; but surely is working as an active repository of Trojan files.


Usually the porn sites use the following fake alert to goad the user into downloading the fake video decoder.

Screenshot of the fake Error Message Box

ElseIf.biz uses the IP Address: 85.255.121.148; Detection of the download from this site is really poor. Stay away from malicious porn sites.


Avoid the site and all its downloads…

The website's name reminds me of the collage days where in we coded in C-language :-)

Code:
if(You are sensible not to download and install codec promoted by porn site)
{
Your system is safe and you need not worry about the Zlob Trojan infection
Exit from the porn trap;
}

else if(you install the codec)
{
Welcome to the world of Zlob infected PC's;
The Trojan will make sure to make you have a terrible experience;
Use tool to remove the infection;
Make a promise never to install a codec pushed from a porn site;
Finally exit from the porn trap;
}

else
{
Wait until the bad guys comes up with a new trick to trap you;
goto CODE
}

Isn’t it a funny code :-)


Bharath MN

Wednesday, November 14, 2007

VirProtect.com

VirProtect.com






Yet another Rogue Security application from SpyLocked group of Rogue security application.

VirProtect is the latest entry to the list; This Rogue is currently advertised by the latest Zlob Trojan. The site uses the IP 85.255.119.126 which is also used by virusray.com (Previous rogue security application released from this group)



Screenshot of the application.


Detection of the rogue is poor.


VirusTotal Scan Result: 7/31 (22.59%)

Avast 4.7.1074.0 2007.11.13 Win32:Spycrush-B
BitDefender 7.2 2007.11.13 Adware.SpyLocked.C
Ikarus T3.1.1.12 2007.11.13 Virus.Win32.Spycrush.B
Kaspersky 7.0.0.125 2007.11.13 not-a-virus:FraudTool.Win32.VirusProtectPro.h
Microsoft 1.3007 2007.11.12 Program:Win32/VirusLocker
Rising 20.18.11.00 2007.11.13 Hack.Win32.VirusProtectPro.a
VBA32 3.12.2.4 2007.11.11 Application.Win32.Adware.VirusProtectPro

Avoid it at all cost…

Bharath M N

Sunday, November 11, 2007

ErrorInspector.com

ErrorInspector.com


A hoax site distributing Rogue Security Application; webpage doesn’t provide any link to download the Application. This rogue Security application is also advertised through the Mediaplex(owned by ValueClick).

Screenshot of ads displayed for ErrorInspector by Mediaplex.


This site also uses the IP 84.243.253.220 which is used by many other Sellmosoft Inc Rogue Security Application.Some of the other Rogue security applications that used/uses this IP are:


1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com
5. ErrorDigger.Com


and many more. Detection on Virustotal is really poor. The application is related to winantivirus(dot)com family of Rogue Security Applications.

Sunbelt CWSandbox Analysis


Avoid it at all cost...


Bharath M N

Another bunch of Zlob Trojan distributing sites

Another bunch of Zlob Trojan distributing sites
Fresh list of sites distributing Zlob Trojans
1. Gneprogram.com (85.255.118.181)
2. Ndcperformance.com (85.255.113.238)
3. Mzdsoftware.com (85.255.113.235)
4. Pkbsolution.com (85.255.118.179)
Avoid download from these sites to keep your system safe.
Bharath M N

Friday, November 9, 2007

ErrorDigger.Com


ErrorDigger.Com




Definitely this Rogue Security Application will dig up a hole in your pocket. The webpage doesn’t provide any link to download the Application. The rogue Security application is advertised through the Mediaplex(owned by ValueClick).
Screenshot of ads displayed for ErrorDigger by Mediaplex .


The site uses the IP 84.243.253.220 which is also used by many other Sellmosoft Inc Rogue Security Application.

Some of the other Rogue security applications that used/uses this IP are:

1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com

and many more. Detection on Virustotal is really poor.

Sunbelt CWSandbox Analysis


Avoid it at all cost...

Bharath M N

Sunday, November 4, 2007

AVSystemCare crazily spreading on Internet

AVSystemCare crazily spreading on Internet







AVSystemCare a well know Rogue security application is wildly spreading on the internet. The application was first sited around May 2007.


Screenshot of AVSystemCare application



The application is aggressively advertised by Zlob Trojans. When a System gets infected by a Zlob Trojan you might receive the following warning message or a similar warning message luring /confusing/goading users to purchase any one of the many AVSystemcare clone application.


Fake security alert displayed Zlob trojan



AVSystemcare scammers are busy cloning their website. Currently they have more than 300 cloned website that shares the same IP-ddress.


Below is the complete list of sites:



[EDIT]

New Scam page of AVSystemCare



Avoid all the sites...



Bharath M N

Saturday, November 3, 2007

Fresh Pack of Zlob Trojan distributing sites

Fresh Pack of Zlob Trojan distributing sites
Few new codec sites distributing Zlob trojans.
zsvcompany(dot)com
bcnproduction(dot)com
mojtechnology(dot)com
vaulimited(dot)com

Typically the download form these sites pretends as a video codec\Image codec for viewing porn on-line but instead installs Zlob trojan\DNS changer trojan on the system.

Usually some porn sites display a message stating that you need to download a special codec to view the porn on-line. Once the user accepts to install the codec the Trojan starts performing its dirty task of downloading Adware’s nagging the users with fake security warning messages.

The fake security warning message informs the user that the system is infected and is vulnerable to Trojan attacks luring the user into running a scan or downloading a security application to remove the infection. The application that the Trojan suggests will definitely be rogue security application.

The main cause of the Zlob Trojan is to goad users into purchasing Rogue security application. New rogue security application and Zlob developers deploy new installer and jump domains constantly in order to prevent the anti-spyware \malware \virus application from detecting them.

Till now the scammers are successful in winning the battle against the Security provided by the anti-malware \spyware \virus products.

Be a bit cautious about the thing you are downloading on a porn site. Always prevention is better than cure.

Bharath MN

Tuesday, October 30, 2007

MessengerBlocker

Messenger-blocker.com

This is a new scam that uses the windows Messenger Service to exploit the users into purchasing the rogue security application.

“The scam popup indicates that your computer is vulnarable to pop-ups, viruses, hackers, crackers, unwanted advertisement, spam, etc.”

This scam is directed to scare the users into purchasing the unwanted application to solve the problem.

CA and Symantec have a detail description about the rogue security application.

Avoid the sites and the application that it promotes.

Bharath M N

End-Ads

End-Ads.com

Funny the website is named End-ads and advertises a well documented rogue security application. So the website does the reverse of its name; After installing the application advertised on this webpage you will definitely start receiving ads stating that your system is infected blah blah...

Currently it is advertising SystemDoctor a well known rogue security application.


Site registration details:

Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com

Expiration Date: 2008-07-13
Creation Date: 2005-07-13
Last Update Date: 2007-03-18


Different domains that share the same IP are listed below:

Blockmessengerspam.com “clone of end-ads.com”
Blockthesepopups.com
Endmessenger.com
Error-safe.org
Escapeads.com
Fightpopups.net “clone of end-ads.com”
Messenger-blocker.com
Messengerservice.info
Messengersoft.com
Messengerstopper.net “clone of end-ads.com”
Phoenixcitylights.com
Stopmessengerads.com
Stoppornads.com
Systemdoctor2008.com
Winantispyware.org
Winantivirus2007pro.com

Looking into the domain one can easily make out that all the websites are malicious. Most of the websites are actively advertising or redirecting to SystemDoctor.

Avoid all these sites and the application that it promotes.

Bharath M N

Friday, October 5, 2007

Protecthips.com! Does this Protects your System?

Protecthips.com

This is a malicious Website which promotes Rogue Security application.

Usually all the users cannot access this website, the system infected by Zlob Trojan usually come up with website mimicking the online/windows security center luring /confusing/goading users to purchase any one of the Rogue Security application advertised in this website.

The website has a test page looks like windows troubleshooting/windows help page which mimics the troubleshooting steps and then finally ask users to use of the Rogue Security application to displayed in the page to fix the issue that they are facing.

This website promotes the following Rogue Security applications:

WinAntiVirus
AntiSpyGolden
VirusHeal
Menace Rescue
Trojans Filter
Antispyware Suite
Drive Cleaner
System Doctor
AntiWorm 2008
GoldenAntiSpy

The Domain shares its IP with the following websites:

asafetyguide.com
ddgate.com
rhgate.com
safeinformations.com
securitysteps.com

All the above listed sites are phony and distribute Rogue Security application.

Avoid all these sites and the application that it promotes.

Bharath M N