Friday, August 29, 2008

Total Secure 2009

Total Secure 2009

Total Secure 2009 is a new rogue security product from IEDefender family.

More info here

Bharath M N

Tuesday, August 26, 2008

SpywarePreventer

SpywarePreventer

SpywarePreventer is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: SpywarePreventer.com
IP Address: 216.255.186.253

Screenshot of SpywarePreventer site

Screenshot of SpywarePreventer application

Stay away from this site.

Bharath M N

Friday, August 22, 2008

Power Antivirus

Power Antivirus

Power Antivirus is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: Pwrantivirus.com
IP Address: 91.208.0.231

Screenshot of Power Antivirus site

Site Name: Scanner-Pwrantivirus.com
IP address: 91.208.0.246

Screenshot of Scare/fake scanner pages used by Power Antivirus

Screenshot of Power Antivirus application


One Rogue up and a few more clones follows it up. This group seems to be really busy cloning their application. Stay away from these sites.

Bharath M N

XPert Antivirus Enterprise

XPert Antivirus Enterprise

XPert Antivirus Enterprise is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: Xpertantivirus.com
IP Address: 91.208.0.230

Screenshot of XPert Antivirus Enterprise site

Site Name: Scanner-xpertantivirus.com
IP address: 91.208.0.246

Screenshot of Scare/fake scanner pages used by XPert Antivirus Enterprise

Screenshot of XPert Antivirus Enterprise application

Stay away from these sites.

Bharath M N

Thursday, August 21, 2008

MS Antivirus

MS Antivirus

MS Antivirus is a new rogue security application from SpywareNo\ SpySheriff Family of rogue security application. The application is a clone of Vista Antivirus 2008 rogue security application.

Site Name: Msantivirusxp.com
IP Address: 91.208.0.229

Screenshot of MS Antivirus site

Site Name: Msscanner.com
IP address: 91.208.0.228

Screenshot of Scare/fake scanner pages used by MS Antivirus

Screenshot of MS Antivirus application

Stay away from these sites.

Bharath M N

Sunday, August 17, 2008

XP-Guard

XP-Guard

XP-Guard is a new rogue security application from SpywareNo\ SpySheriff Family of rogue security application. The application is a near clone of XP-Shield rogue security application.

This group calls themselves as "Pandora Software" any Security related application from this group should be avoided.

Site Name: XP-Guard.com
IP Address: 92.62.101.35

Screenshot of XP-Guard site
Screenshot of XP-Guard application


Stay away from this sites.

Bharath M N

Antivir64

Antivir64

Antivir64 is new rogue security application. The application is a near clone of Win Antivir 2008/ Win Antivirus 2008 rogue security application.

Site Name: Antivir64.com
IP Address: 78.157.142.7

Screenshot of Antivir64 site

Screenshot of Scare/Fake scanner page used by Antivir64

Screenshot of Antivir64 application

This group is very busy releasing new clones every week and constantly use new websites to scam users.

Following sites belongs to the same group

Xpertantivirus.com
Pwrantivirus.com
Powerantivirus2009.com
Powerantivirus-2009.com
Defender-scan.com
Watcher-scan.com

Stay away from these sites.

Bharath M N

Saturday, August 16, 2008

Zlob sites update

Zlob sites update

Zlob Trojan Distributing site:
Site Name: Mpegdirection.com
IP Address: 85.255.113.235

Site Name: Flwprocedure.com
IP Address: 77.91.231.201

Scam Internet Security Page:
Site Name: Homepagefile.com
IP Address: 85.255.116.212

404Errorpage Scam:
Site Name: Dnserrorgoal.com
IP Address: 85.255.118.244

Security Guide Scam Page:
Site Name: Shortcutclicks.com
IP Address: 85.255.118.210

Ad-Server-Gate Pages:
Site Name: Opqgrin.com
IP Address: 85.255.118.211

Site Name: Trefuel.com
IP Address: 85.255.118.214

The Ad-Server-Gate pages redirects to fake Security center site Secureonlinetags.com which promotes Rogue security applications.

Site Name: Secureonlinetags.com
IP Address: 85.255.118.211

Other component sites:

Site used in the Internet Explorer tools menu to redirect to fake/scare scanner pages

Site Name: Iexplorerfiles.com
IP Address: 216.255.179.244

The following site is used in Zlob toolbar to redirect users to malicious domains distributing rogue security applications.

Site Name: Clickstoolbar.com
IP Address: 85.255.118.214

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Friday, August 15, 2008

Happy Independence Day

Happy Independence Day

Vande Mataram


Wishing you a very Happy Independence Day




BHARATH

Monday, August 11, 2008

Internet Antivirus

Internet Antivirus

Internet Antivirus is a new rogue security application.

Site Name: Internet-Antivirus.com
IP Address: 216.32.69.165

Screenshot of Internet Antivirus site

Site Name: IA-Scanner.com
IP Address: 216.32.69.162

Screenshot of Scare/Fake scanner pages used by Internet Antivirus

Screenshot of Internet Antivirus application


The rogue also uses Software-Payment.com for payment processing. Software-Payment.com is used by many rogue security applciations for payment processing.

Following sites also belongs to the same family

Site Name: IA-Payment.com
Site Name: IA-License.com
Site Name: IA-Support.com
IP Address: 216.32.69.165

The rogue is pretty new detections of this rogue is really poor. Stay away from all these sites.

Bharath M N

Saturday, August 9, 2008

Antispyware 2008 XP

Antispyware 2008 XP

Antispyware 2008 XP is a rogue security application. Antispyware 2008 XP is a clone of WinSpywareProtect/ Antivirus 2008 XP rogue security application

Site Name: Antispyware2008scanner.com
IP Address: 85.255.119.149

Screenshot of Scare/Fake scanner pages used by Antispyware 2008 XP


Screenshot of Antispyware 2008 XP application


The scanner pages uses the following site to push Antispyware 2008 XP installers:

Site Name: AS2008dl.com
IP Address: 85.255.118.69

Reference links: dwl.as2008dl. com/load/setup_100542_4_.exe

Which furthers downloads the application from the following site

Site Name: Getas2008xp.com
IP Address: 85.255.119.132

Reference links: dl.getas2008xp. com/get/?type=scanner&pin=100542&lnd=4

Further there are many other sites that is used by this family of rogue security application. Below is a list of sites that belongs to this family.


IP Address Site Name

85.255.118.226 Wspldrept.com
85.255.118.226 Wspexrept.com
85.255.119.154 Wspreprt.com
85.255.119.26 Winspywareprotection.com
64.28.185.138 Winspywareprotect2008.com

85.255.119.30 Av2008sales.com
85.255.119.158 Avcntxp.com
85.255.119.158 Avcntxp.com
85.255.119.150 Av2008check.com

85.255.119.156 As2008rep.com
85.255.119.29 Antispywaresales.com
85.255.118.228 Woeiruweoriu.com
85.255.118.227 Idreptavxp.com

Stay away from all these sites.

Bharath M N

Wednesday, August 6, 2008

Malware distributing sites

Malware distributing sites

Zlob Trojan Distributing site:
Site Name: Flwinstrument.com
IP Address: 77.91.231.183

Site Name: Mpegutility.com
IP Address: 85.255.113.236

Trojan-Downloader Distributing sites
Site Name: Pressdownloadtostart.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: Gold Manager - {D26AAB3B-B0DD-456C-A7E5-4DA9565FD6EE} - C:\WINDOWS\system32\goldman.dll

Site Name: Clickruntostartshow.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: IE Optimizer - {BACA5B3B-DD57-4E62-B986-9A5677FBF001} - C:\WINDOWS\system32\iea32.dll

This site belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application.

MediaTubeCodec Trojan Distributing site:
Site Name: Megabestsoftnah08.com
IP Address: 78.157.143.250

DNS Changer Trojan Distributing site:

Site Name: Ticketmoon.net
Site Name: Ticketlight.com
Site Name: Red-codec.net
Site Name: Nitrocodec.net

Stay away from all these sites.

Bharath M N

Sunday, August 3, 2008

More Rogue Security applications

More Rogue Security applications


PyroAntiSpy

PyroAntiSpy is new rogue security application from SpyLocked family of Rogue security applications.

Thanks to Donna for the information

Site Name: Pyroantispy.com
IP Address: 207.226.174.20

Screenshot of PyroAntiSpy site

Site Name: Fastpyroscan.com
IP Address: 207.226.174.20

Screenshot of Scare/Fake scanner page used by PyroAntiSpy

Screenshot of PyroAntiSpy application



Antivirus 2008 XP

Antivirus 2008 XP is a rogue security application. Antivirus 2008 XP is a clone of WinSpywareProtect rogue security application

Site Name: Antivirus2008xp.com
IP Address: 216.195.50.93

Secreenshot of Antivirus 2008 XP site


Site Name: Antivirus2008scanner.com
IP Address: 85.255.119.150

Screenshot of Scare/Fake scanner pages used by Antivirus 2008 XP


The scammer are not only mimicking Google's Malware warning page to advertise Antivirus 2008 XP but also falsely claims that their scanner is powered by BitDefender scanning engine. Dont fall for these false claims.

Screenshot of Antivirus 2008 XP application


The scanner pages uses the following site to push Antivirus 2008 XP installers:

Site Name: Av2008dl.com
IP Address: 85.255.118.70

Reference links: dwl.av2008dl. com/load/setup_1_2_.exe

Which furthers downloads the application from the following site

Site Name: Av2008store.com
IP Address: 85.255.119.134

Reference links: dl.av2008store. com/get/?type=scanner&pin=1&lnd=2

Stay away from all these sites.

Bharath M N

Friday, August 1, 2008

Zlob sites update

Zlob sites update

Zlob Trojan Distributing site:
Site Name: Mpegversion.com
IP Address: 85.255.113.237

Scam Internet Security Page:
Site Name: Dryhomepage.com
IP Address: 85.255.116.214

404Errorpage Scam:
Site Name: Dnswebpage.com
IP Address: 85.255.118.246

Security Guide Scam Page:
Site Name: Topsafetysoft.com
IP Address: 85.255.118.214

Ad-Server-Gate Pages:
Site Name: Abcways.com
IP Address: 85.255.118.35

Site Name: Xyztogo.com
IP Address: 85.255.118.34

The Ad-Server-Gate pages redirects to fake Security center site Webbestlink.com which promotes Rogue security applications.

Site Name: Webbestlink.com
IP Address: 85.255.118.214

Other component sites:

The following site is used in Internet Explorer tools menu to redirect users to fake/scare scanner pages

Site Name: Iexplorerclue.com
IP Address: 216.255.179.244

The following site is used in Zlob toolbar to redirect users to malicious domains distributing rogue security applications.

Site Name: Websecurebar.com
IP Address: 85.255.118.213

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N