Sunday, December 30, 2007

HAPPY NEW YEAR 2008

HAPPY NEW YEAR 2008



I wish you all a Prosperous and Happy New Year 2008.

Bharath M N

New Scam Strategy

[Edited]

Removed this blog

Wednesday, December 26, 2007

FILES-SECURE.COM

FILES-SECURE.COM



File –Secure is a new rogue Security application from the family of IE Defender.

File –Secure Rogue security application stealthily installs after installing a dubious codec installer called videomp3_setup*.


Snapshot of Files-Secure Application

The site details:
Registrar: ESTDOMAINS, INC.
IP Address: 85.255.119.92
Name Server: NS1.FILES-SECURE.COM
Name Server: NS2.FILES-SECURE.COM

Warning message from the app:

VirusTotal Scan Result: 2/32 (6.25%)

eSafe 7.0.15.0 2007.12.25 suspicious Trojan/Worm
Kaspersky 7.0.0.125 2007.12.26 not-a-virus:FraudTool.Win32.IeDefender.ag

Stay away from this Rogue security application.

Bharath M N

Saturday, December 22, 2007

Immunizr.com

Immunizr.com

Immunizr is another Rogue Security application. This is yet another rogue application from the spywareNo family of rogue security application.

The site uses the IP 69.50.166.50 and the setup file Immunizr is not detected as rogue security application from any of the scanners on VirusToal.
Stay away from Rogue security applications.
Bharath MN

WinSpykiller.com

WinSpykiller.com

WinSpykiller is a Rogue Security application. This is another rogue application from the spywareNo family of rogue security application.

This is the ninth rogue security application from spywareNo family in December. If you closely look at all the nine sites you will find the same information displayed on all the pages.

The site uses the IP 69.50.166.51 and the interesting factor is that none of the security applications in VirusTotal detects this rogue security application.


Stay away from Rogue security applications.

Bharath MN

Sunday, December 16, 2007

New Zlob Trojan Site

New Zlob Trojan Site


Site: Pmffprogram.com
IP: 85.255.113.234
Registrar: ESTDOMAINS, INC.

Virustotal Scan Result: 10/32 (31.25%)
AntiVir 7.6.0.45 2007.12.14 DR/Zlob.Gen
Avast 4.7.1098.0 2007.12.15 Win32:Zlob-AHS
AVG 7.5.0.503 2007.12.15 Downloader.Zlob.LI
BitDefender 7.2 2007.12.15 Trojan.Zlob.BZM
ClamAV 0.91.2 2007.12.15 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2007.12.15 Trojan.Popuper.origin
Microsoft 1.3109 2007.12.15 TrojanDownloader:Win32/Zlob.gen!AL
Prevx1 V2 2007.12.15 Downloader.Zlob.LI
Sophos 4.24.0 2007.12.15 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2007.12.15 Trojan.Dropper.Zlob.Gen

Stay away from this site.

Bharath M N

Friday, December 14, 2007

wincodecdownload.com

Wincodecdownload.com

Another malicious domain. The setup file available on the site is malicious. The setup file installs a malicious BHO which displays the following image below the browser address bar.


BHO Details:

Filename: IECodec.dll
Hijack this entry:
O2 - BHO: IECodecBHO - {4507C219-24AA-4813-9561-A2003F9920C3} - C:\Program Files\IECodec\IECodec.dll


Screeenshot taken after installing the malicious setup file.

Once you click on the link provided in the image it takes you to privacy-tower.com website. The site uses a scare scan tactics to scare the users into purchasing a rogue security application.

The site privacy-tower.com uses the IP address 206.161.200.43, which then redirects users into downloading Anti-Virus-Pro (from anti-virus-pro.com) a well documented Rogue security application.

The Privacy-Scanner.com and PrivacyTower.com are clone sites of privacy-tower.com which also redirects users into downloading Anti-Virus-Pro

Privacy-Scanner.com\PrivacyTower.com\Privacy-Tower.com Scare scan page
Further site vscodecsupport.com (203.121.111.143) works as a data repository for wincodecdownload.com.

Currently none of the security applications on Virustotal flags the setup file as malicious.

Only two scanners detect the BHO as malicious.

Virustotal scan Result: 2/32 (6.25%)

AntiVir 7.6.0.45 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware


Stay away from these sites.

Bharath M N

Spyware-Sweeper.Net

Spyware-Sweeper.Net



Yet another Spysheriff Clone. This site distributes Rogue security application. The application exploits “Webroot” Spy-sweeper name.

Snapshot of Spyware-Sweeper Application


Vitustotal Scan Result: 10/32 (31.25%)


AhnLab-V3 2007.12.14.10 2007.12.13 Win-Trojan/Bravesent.39424
CAT-QuickHeal 9.00 2007.12.13 FraudTool.SpySheriff.f (Not a Virus)
Ikarus T3.1.1.15 2007.12.13 Application.Win32.AdWare.SpySheriff
Kaspersky 7.0.0.125 2007.12.13 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.13 Program:Win32/SpySheriff
NOD32v2 2721 2007.12.13 a variant of Win32/Adware.SpySheriff
Panda 9.0.0.4 2007.12.13 Suspicious file
Prevx1 V2 2007.12.13 ADWARE.SPYSHERIFF.E
Sophos 4.24.0 2007.12.13 Troj/Spywad-Gen
VirusBuster 4.3.26:9 2007.12.13 Adware.SpySherif.Gen.2


Stay away from Rogue security applciations.


Bharath M N

Monday, December 10, 2007

Scanner Pages are Live now!!!

Scanner Pages are Live now!!!


The malware scanner page for the Rogue security applications Dr-Protection, Guard-Center, Killspy, Liveantispy, LiveProtection, Online-Guard and Stopingspy are Live. The scanner page uses the scare tactics to scare the users into purchasing the Rogue security application. Don’t fall into the cheap trick and loose your money. All the scan pages share the same IP address 58.65.238.131.


Dr-Protection Fake Scanner Page


Guard-Center Fake Scanner Page

Killspy Fake Scanner Page


Liveantispy Fake Scanner Page



Liveprotection Fake Scanner Page


Online-Guard Fake Scanner Page


Stopingspy Fake Scanner Page


Virustotal Scan Result: 7/32 (21.88%)

AVG 7.5.0.503 2007.12.10 Downloader.Small.BAP
DrWeb 4.44.0.09170 2007.12.10 Trojan.Fakealert
Kaspersky 7.0.0.125 2007.12.10 Heur.Trojan.Generic
Microsoft 1.3007 2007.12.10 TrojanDownloader:Win32/Renos.gen!Y
NOD32v2 2713 2007.12.10 probably unknown NewHeur_PE virus
Panda 9.0.0.4 2007.12.09 Suspicious file
Prevx1 V2 2007.12.10 Downloader.Drev.A

Stay away from Rogue security applications

Bharath M N
(Thanks to Patrick Jordan)

Saturday, December 8, 2007

freemoviepro.com

Freemoviepro.com
A malicious domain that spams, the download available on the site installs a malicious BHO.
The image displayed on the site:

BHO Details:

Filename: wbspark.dll
Hijack this entry: O2-BHO: wbspark - (BC42164F-2C53-1B42-1563-1A7624A24C11) - C: \WINDOWS\system32\wbspark.dll

SunBelt SandBox Result


Virustotal Scan Result: 18/32 (56.25%)


Stay away from this site.
Bharath M N

Thursday, December 6, 2007

Three More Malicious Domains

More Malicious Domains


Three More Malicious Domains on 58.65.238.130

Killspy.org
Liveprotection.net

Stopingspy.com


A few days back I had written about the four malicious sites on the server 58.65.238.130. Link

Now the server is hosting seven malicious sites distributing Rogue Security applications. The entire list:

1. Dr-protection.com
2. Guard-center.com
3. Killspy.org
4. Liveantispy.com
5. Liveprotection.net
6. Online-guard.net
7. Stopingspy.com

The download from three new sites was submitted to visrutotal.com and here are the results:

Virustotal Scan Result: 5/32 (15.63%)

AhnLab-V3 2007.12.6.2 2007.12.06 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.12.06 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.06 Program:Win32/SpySheriff
Sophos 4.24.0 2007.12.06 Troj/DrProt-Gen
VirusBuster 4.3.26:9 2007.12.06 Adware.SpySherif.Gen.2

As you can see the detections are poor stay away from all these sites.

Bharath MN

AntiSpy-Pro.com

AntiSpy-Pro.com


This is a new rogue security application which is successor of IE Defender Rogue security application. The AntiSpy-Pro is an exact clone of IE Defender rogue security application.



IE Defender has a history of stealthily installing on the user system when they install Zlob codec. So AntiSpy-Pro will be the next Rogue security application that will be advertised through Zlob Trojans.




Snapshot of AntiSpy-Pro Application


The site details:
IP Address: 85.255.121.149
created on 2007-11-15
Name Servers: ns1.antispy-pro.com
ns2.antispy-pro.com

Warning message from the app:

If AntiSpy-Pro stealthily installs on your system then it’s sure that your system is infected by Zlob Trojan.

VirusTotal Scan Result: 3/32 (9.38%)

ClamAV - - Adware.Fakealert-21
Kaspersky - - not-a-virus:FraudTool.Win32.IeDefender.j
VBA32 - - suspected of Backdoor.Delf.180 (paranoid heuristics)

Stay away from this Rogue security application.

Bharath M N

Saturday, December 1, 2007

List of Malicious Domains

List of Malicious Domains
ghktoolkit.com - > Zlob trojan distributing site
zxcsolution.com -> Zlob trojan distributing site
codectime.com -> DNS Changer distributing site
codecvids.com -> Zlob trojan distributing site
217.20.122.32 -> a bunch of malicious files hosted on the site
Detection of the malicious files distributed by these sites are really poor.
Stay away from these sites...
Bharath M N