Wednesday, April 30, 2008

A Symphony of Fake Scanner Pages

A Symphony of Fake Scanner Pages

Here is a list of recently seen fake scanner pages distributing rogue security applications.

SpywareIsolator

Sites used by this rogue:

Site Name: SpywareIsolator.com
IP Address: 72.233.50.150

Site Name: SpywareIso.com
IP Address: 72.233.63.89

Site Name: SpywareIsolator2008.com
IP Address: 72.233.63.94

Screen shot of SpywareIsolator Fake/Scare scan pages

Screen shot of SpywareIsolator application


The installer is also pushed from the following site:

Site Name: si-download.net
IP Address: 72.233.63.95
Sample: si-download(dot)net/ landing / distrib / installer_abr.exe

VirusIsolator

Sites used by this rogue:

Site Name: VirusIsolator.com
Site Name: Virus-Isolator.org
Site Name: Virus-Isolator.us
Site Name: VirusIsolator.us
IP Address: 217.170.77.150

Screen shot of VirusIsolator Fake/Scare scan pages

Screen shot of VirusIsolator application


XP antivirus

Site Name: SecurityScannerSite.com
IP Address: 217.170.77.150

Site Name: Xpprotectionsoftware.com
IP Address: 72.233.81.234

Screen shot of SecurityScannerSite.com Fake/Scare scan pages

Screen shot of XP antivirus application


The installer is pushed from the following site:

Site Name: XPdownloadcenter.com
IP Address: 72.233.81.234
Sample: XPdownloadcenter(dot)com/download/xpa_eng.exe

Fileshreddersoftware.com also shares the IP 72.233.81.234 which is again a crapware they are exploiting Lavasoft’s application name “File Shredder”.

AntiVirus 2008

Site Name: AntiVirus-Scanner.com
IP Address: 190.15.73.254

Screen shot of AntiVirus 2008 Fake/Scare scan pages

Screen shot of AntiVirus 2008 application

The rogue also uses the following site:

Site Name: AntiVirus2008x.com
IP Address: 64.28.177.250

AntiSpywareDeluxe

Site Name: AntiSpywareDeluxe.com
IP Address: 67.205.75.9

Screen shot of AntiSpywareDeluxe Fake/Scare scan pages

Screen shot of AntiSpywareDeluxe application


SpywareDestructor

This is a clone of AntiSpywareDeluxe rogue application.

Site Name: SpywareDestructor.com
IP Address: 67.205.75.9

Screen shot of SpywareDestructor Fake/Scare scan pages

Screen shot of SpywareDestructor application


PcSweeperPro

This is clone of Cleanator Rogue security application. The home page of this rogue currently comes up blank.

Site Name: PcSweeperPro.com
IP Address: 72.55.156.207

Screen shot of PcSweeperPro Fake/Scare scan pages

The installer that I downloaded was corrupt and wasn’t able to install the application.

Imunizator

Site Name: Imunizator.com
IP Address: 67.205.75.10

Imunizator is a clone of MacSweeper Rogue security application, All Mac user be aware of this rogue.

Screen shot of Imunizator Fake/ Scare scanner page


All the above mentioned sites are active and distributing rogues, Stay away from all of these sites.

Bharath M N

Saturday, April 26, 2008

Saga of IE Defender Family

Saga of IE Defender Family

This group started of with IE Defender rogue security application and then released AntiSpy-Pro followed by Files-Secure.

Currently the group is again active releasing two new rogues MalwareBell and IE AntiVirus

Site Name: MalwareBell.com
IP Address: 89.149.227.195

Screenshot of MalwareBell.com site

Screenshot of MalwareBell Application

Installer of MalwareBell was scanned and here are the results

VirusTotal Scan Result: 10/32 (31.25%)

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F


Site Name: IEAntiVirus.com
IP address: 89.149.227.195


Screenshot of IEAntiVirus.com site

Screenshot of IE AntiVirus Application

Installer of IE AntiVirus was scanned and here are the results

VirusTotal Scan Result: 6/30 (20%)

AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ

The following are the two sites that work as a repository for these rogue applications.

Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195

Sample URL’s:

malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe

Following site also belongs to this group

Site Name: Verifiedpaymentsolutionsonline.com
IP Address: 89.149.227.195

Screenshot of verifiedpaymentsolutionsonline.com site



Stay away from all these sites.

Bharath M N

Wednesday, April 23, 2008

New sites distributing Zlob, DNS Changer and Trojan-Downloader

New sites distributing Zlob, DNS Changer and Trojan-Downloader

Zlob Trojan Distributing sites:

Site Name: Wmvassistant.com
IP Address: 85.255.120.107

Site Name: Asfadaptation.com
IP Address: 85.255.118.179

DNS Changer Trojan Distributing sites:

Site Name: Ultraticket.net
IP Address: 64.28.184.167

Trojan-Downloader Distributing sites:

Site Name: Onlinesoftwarexchange.net
IP Address: 78.129.158.225

All the above mentioned sites registrant is ESTDOMAINS, INC. Stay away from these malicious sites.

Bharath M N

Monday, April 21, 2008

SpyGuard

SpyGuard

SpyGuard is a new rogue from Pandora-software, a near clone of AntiSpyStorm rogue security application.

Site Name: SpyGuard-scanner.com
IP address: 206.51.226.31
Registrar: ESTDOMAINS, INC.


Screenshot of SpyGuard-scanner.com site

Screenshot of SpyGuard application


The installer from the site was scanned and here are the scan results

VirusTotal Scan Result: 7/32 (21.88%)

Avast 4.8.1169.0 2008.04.20 Win32:VB-EIJ
DrWeb 4.44.0.09170 2008.04.20 BACKDOOR.Trojan
eSafe 7.0.15.0 2008.04.17 suspicious Trojan/Worm
Fortinet 3.14.0.0 2008.04.20 Adware/AntiSpyStorm
Ikarus T3.1.1.26.0 2008.04.20 Virus.Win32.VB.EIJ
McAfee 5277 2008.04.18 potentially unwanted program Adware-AntiSpyStorm
Symantec 10 2008.04.20 AntiSpyStorm

Detection of the installer is poor, stay away from this site.

Bharath M N

WinSpywareProtect

WinSpywareProtect

WinSpywareProtect is a rogue security application.

Site Name: WinSpywareProtect.com
IP Address: 85.255.119.26

Screenshot of WinSpywareProtect.com site

The scammers also use Fake/Scare scan tactics to lure/scare users into downloading/purchasing this application.

Screenshot of Fake/Scare scan pages:


The application does a fake scan on the system and reports fake threats, Also the application doesn’t show the exact path of the malicious files detected on the system and asks users to purchase the full version to remove the detected threats.

Screenshot of WinSpywareProtect application


The application comes up with the fake alert message even after the application is closed/shutdown.

Screenshot of Fake alerts displayed by WinSpywareProtect



The site also uses Billingserviceonline.com for payment processing which is used by many rogue applications.

The installer from the site was scanned and here are the scan results

VirusTotal Scan Result: 12/31 (38.71%)

AntiVir 7.8.0.8 2008.04.20 TR/Dldr.Delphi.Gen
AVG 7.5.0.516 2008.04.20 Generic10.IVQ
BitDefender 7.2 2008.04.20 Adware.WinSpywareProtect.A
eSafe 7.0.15.0 2008.04.17 suspicious Trojan/Worm
Ikarus T3.1.1.26 2008.04.20 not-a-virus:.FraudTool.Win32.MalWarrior.g
Kaspersky 7.0.0.125 2008.04.20 Heur.Downloader
NOD32v2 3041 2008.04.19 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.04.18 W32/DLoader.GNDH
Panda 9.0.0.4 2008.04.20 Adware/WinSpywareProtect
Prevx1 V2 2008.04.20 Heuristic: Suspicious File With Persistence
Sophos 4.28.0 2008.04.20 Mal/Behav-053
Webwasher-Gateway 6.6.2 2008.04.20 Trojan.Dldr.Delphi.Gen

Stay away from this site.

Bharath M N

Privacy-Watcher

Privacy-Watcher


Privacy-Watcher is bogus/rogue privacy protection software lately seen on the internet.



Site Name: Privacy-Watcher.com
IP Address: 77.91.229.99
Registrar: ESTDOMAINS, INC.
And as usual the registrant is hidden behind privacyprotect.org and another site Winsafer.com also shares the same IP address.

Privacy-Watcher uses the same standard homepage which is also used by many other scam/rogue/crapware applications.



The application also uses a Fake/scare privacy scan page that tries to lure users into downloading/purchasing this application.

Screenshot of different fake/scare scan page used by the scammers




Screenshot of Privacy-Watcher application


The application just does a fake scan on the system and ask user to purchase the full version to remove the privacy threats detected on the system. The Site is very active from starting of April and here is the traffic analysis.

The site also uses Billingserviceonline.com for payment processing which is used by many rogue applications.

The installer from the site was scanned and here are the scan results

VirusTotal Scan Result: 4/32 (12.5%)

AntiVir 7.8.0.8 2008.04.20 SPR/Fake.WinXDe.A.1
DrWeb 4.44.0.09170 2008.04.20 BackDoor.Pcik.origin
F-Secure 6.70.13260.0 2008.04.20 Suspicious:W32/Malware!Gemini
Prevx1 V2 2008.04.20 Heuristic: Suspicious File With Mass Email Capabilities

Detection of the installer is really poor, stay away from this site.

Bharath M N

Friday, April 18, 2008

Yet another set of SSH Zlob Trojan Family’s Component sites

Yet another set of SSH Zlob Trojan Family’s Component sites

Patrick Jordan at Sunbelt Malware Research posted the new scam sites used by SSH Zlob Trojan. Thanks to our CWS Encylopedia Patrick Jordan for posting this information on Sunbelt Blog.

Scam Internet Security Page:
Site Name: Softhomepage.com
IP Address: 85.255.116.210

Screenshot of Softhomepage.com site:

404Errorpage Scam:
Site Name: Managedns404.com
IP Address: 85.255.118.244

Screenshot of managedns404.com site:

Security Guide Scam Page:
Site Name: Secureinstruct.com
IP Address: 85.255.118.213

Screenshot of Secureinstruct.com/soft site:

Screenshot of Secureinstruct.com/Test site:

Ad-Server-Gate Pages:
Site Name: Gateds.com
IP Address: 85.255.118.34

Site Name: Gatece.com
IP Address: 85.255.118.210

The Ad-Server-Gate pages redirects to fake Security center site Safetyalertings.com which promotes Rogue security applications.

Site Name: Safetyalertings.com
IP Address: 85.255.118.214

Screenshot of Safetyalertings.com site:


All the above mentioned sites advertise well documented Rogue security applications. Stay away from these sites.

Bharath M N

Thursday, April 17, 2008

New Set Of Malicious Sites

New Set Of Malicious Sites


Zlob Trojan Distributing Sites

Site Name: Swfutility.com
IP Address: 85.255.118.179

Site Name: Flwcoupler.com
IP Address: 85.255.120.107

The installers from these sites were scanned and here are the results:

VirusTotal Scan Result: 10/32 (31.25%)

AntiVir 7.6.0.85 2008.04.16 TR/Crypt.CFI.Gen
AVG 7.5.0.516 2008.04.16 Downloader.Zlob
ClamAV 0.92.1 2008.04.16 Trojan.Zlob-3762
eSafe 7.0.15.0 2008.04.16 suspicious Trojan/Worm
Ikarus T3.1.1.26 2008.04.16 Trojan-Downloader.Win32.Zlob.abw
Microsoft 1.3408 2008.04.14 TrojanDownloader:Win32/Zlob.gen!AW
Prevx1 V2 2008.04.16 Trojan.Zlob
Symantec 10 2008.04.16 Trojan.Zlob
VBA32 3.12.6.4 2008.04.16 suspected of Downloader.Zlob.3
Webwasher-Gateway 6.6.2 2008.04.16 Trojan.Crypt.CFI.Gen

DNS Changer Trojan Distributing Site

Site Name: Blackticket.net
IP Address: 64.28.184.166

More than 80% of the scanners on VirusTotal flag the installer from this site as malicious.

XPAntiVirus Rogue pushing site

Site Name: WinAntiVirusPro.net
IP Address: 77.91.225.234

All the above mentioned sites registrant is ESTDOMAINS, INC. Stay away from these malicious sites.

Bharath M N

Sunday, April 13, 2008

Week End Updates

Week End Updates

New Member of SpywareNo\ SpySheriff Family

AntiVirProtect is new rogue security application from the SpywareNo\ SpySheriff Family. The application is installed on the user system through various Trojan horse programs and other dubious means.

Site Name: AntiVirProtect.com
IP Address: 69.50.190.14
Registrar: ESTDOMAINS, INC.

Screenshot of site AntiVirProtect.com

Once you install AntiVirProtect trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The scammers are just changing the file, application and site names to push this rogue security application. They are following this method to avoid detection from Security applications.

Screenshot of AntiVirProtect application

The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 7/32 (21.88%)

Avast 4.8.1169.0 2008.04.13 Win32:FraudLoad-P
AVG 7.5.0.516 2008.04.12 Downloader.Webinstall.B
DrWeb 4.44.0.09170 2008.04.13 Adware.Spysheriff
Ikarus T3.1.1.26.0 2008.04.13 Virus.Win32.FraudLoad.P
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpySheriff.ad
NOD32v2 3021 2008.04.12 a variant of Win32/Adware.SpySheriff
Prevx1 V2 2008.04.13 AntiSpywareShield:Spyware-a

VipAntiSpyware

VipAntiSpyware A new rogue security applciation installed on the user system through dubious means.

Site Name: Vipantispyware.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.

Screenshot of site Vipantispyware.com

Once you install VipAntiSpyware trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The rogue also uses the following scam site to trick user into downloading/purchasing this rogue security application.

Site Name: Vipantiscanner.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.

Screenshot of Fake/Scare Scan Page Vipantiscanner.com


Screenshot of VipAntiSpyware Application

The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 5/32 (15.63%)

CAT-QuickHeal 9.50 2008.04.12 FraudTool.SpywareIsolator.a (Not a Virus)
Ewido 4.0 2008.04.13 Not-A-Virus.PUP.SpywareIsolator
Ikarus T3.1.1.26.0 2008.04.13 not-a-virus:.FraudTool.Win32.SpywareIsolator.a
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpywareIsolator.a
Prevx1 V2 2008.04.13 SpywareIsolator:Spyware-a

As you can see the detection of the rogues are poor. Stay away from these rogue distributing sites.

Bharath MN

Wednesday, April 9, 2008

Zlob Trojan Distributing sites

Zlob Trojan Distributing sites


Site Name: Swfinstrument.com
IP Address: 85.255.120.109

Site Name: Flwsolution.com
IP Address: 85.255.118.180

As usual the site registrants for both the sites are ESTDOMAINS, INC. The installers from these sites were scanned and here are the results:

VirusTotal Scan Result: 9/32 (28.13%)

AntiVir 7.6.0.81 2008.04.08 TR/Zlob.iyh
Authentium 4.93.8 2008.04.09 W32/Downldr2.BMKO
eSafe 7.0.15.0 2008.04.01 suspicious Trojan/Worm
F-Prot 4.4.2.54 2008.04.08 W32/Downldr2.BMKO
Microsoft 1.3408 2008.04.06 TrojanDownloader:Win32/Zlob.gen!AW
Prevx1 V2 2008.04.09 Generic.Malware
VBA32 3.12.6.4 2008.04.06 suspected of Downloader.Zlob.3
VirusBuster 4.3.26:9 2008.04.08 Trojan.DL.Zlob.Gen.47
Webwasher-Gateway 6.6.2 2008.04.08 Trojan.Zlob.iyh

Stay away from these sites.

Bharath M N

Sunday, April 6, 2008

Week End Updates

Week End Updates

Zlob Trojan Distributing site

Site Name: Mpegaddons.com
IP Address: 85.255.118.181
Registrar: ESTDOMAINS, INC.

The installer from the site was scanned and the detections are fairly poor.

Virus total Scan Result: 6/31 (19.36%)

AntiVir 7.6.0.81 2008.04.05 TR/Dldr.Zlob.12800
Authentium 4.93.8 2008.04.05 W32/Downldr2.BMKO
eSafe 7.0.15.0 2008.04.01 suspicious Trojan/Worm
F-Prot 4.4.2.54 2008.04.05 W32/Downldr2.BMKO
Microsoft 1.3408 2008.04.05 TrojanDownloader:Win32/Zlob.AMP
Webwasher-Gateway 6.6.2 2008.04.05 Trojan.Dldr.Zlob.12800

Update on XP AntiSpyware /XP AntiVirus Scam

The scam group has started two new sites for distributing the rogue security application.

Site Name: XPEnprotect.com
IP Address: 67.228.137.29

Site Name: Onlinexpscanner.com
IP Address: 67.228.137.29

The site XPEnprotect.com redirects the user to Onlinexpscanner.com site which is a new fake/scare scan scam page trying to push push XPAntiVirus Rogue Security application.

[Edited on 13th April]

A new Fake/scare site pushing XPAntiVirus Rogue Security application.

Site Name: WindowZScanner.com
IP Address: 58.65.238.122
Registrar: ESTDOMAINS, INC.

Stay away from these sites.

Bharath M N

Thursday, April 3, 2008

DNS Changer Trojan distributing Site

DNS Changer Trojan distributing Site

Site Name: Nitroticket.com
IP Address: 64.28.184.164
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.nitroticket.com [64.28.184.163]
ns2.nitroticket.com [64.28.184.178]

The scammers keep changing their domain name to prevent them from being blocked. Stay away from this site.

Bharath M N

Tuesday, April 1, 2008

Zlob Trojan Distributing sites

Zlob Trojan Distributing sites


Site Name: Avidirection.com
IP Address: 85.255.120.106

Site Name: Movhelper.com
IP Address: 85.255.118.180

As usual the site registrants for both the sites are ESTDOMAINS, INC. The installer from these sites were scanned and here are the results:

VirusTotal Scan Result: 4/31 (12.91%)

eSafe 7.0.15.0 2008.03.31 suspicious Trojan/Worm
F-Secure 6.70.13260.0 2008.04.01 Suspicious:W32/Malware!Gemini
Prevx1 V2 2008.04.01 Trojan.Zlob
VBA32 3.12.6.3 2008.03.25 suspected of Downloader.Zlob.3

As you can see detection of the Trojans are really poor stay away from these sites.

Bharath M N

SpyWatchE Promo site

SpyWatchE Promo site



The site mentioned below is a promo site advertising SpyWatchE Rogue security application from SpywareNo/SpySheriff family.

Site Name: Spywatchepromo.com
IP Address: 58.22.101.110
Registrar: ESTDOMAINS, INC.

Screenshot of Spywatchepromo.com sites Fake/Scare scan page

Screenshot of Spywatchepromo.com sites Fake/Scare scan page

The site pushes “install_3914_MHw0OXx8fHx8fHw_.exe” file on to the system which in turn download the SpyWatchE Rogue security application. VirusTotal Scan results:

VirusTotal Scan Result: 5/32 (15.62%)

AVG 7.5.0.516 2008.03.31 Downloader.Zlob.VQV
NOD32v2 2987 2008.03.31 probably a variant of Win32/Genetik
Panda 9.0.0.4 2008.03.31 Adware/SpyShredder
Prevx1 V2 2008.03.31 Trojan.Vundo
Sophos 4.28.0 2008.03.31 Troj/SpWadA-Gen

The site Winxprotector.com also shares the same IP. This site also belongs to SpywareNo/SpySheriff family and distributes rogue security application.

Screenshot of Winxprotector.com site

Stay away from these sites.

Bharath M N