Live Security Professional

Live Security Professional

Couple of days  ago our Friends @ ThreatTrack Security mentioned that Reveton Malware Family replaced Desktop Hijacking with classic Fake AV.

As we continue to see malware hijacking Desktop this particular malware campaign brings back the memory of classic Scareware/Fake AV.

Today we stumbled upon the ExploitKit that is pushing Live Security Professional rogue application.

Screenshot of Live Security Professional application

ExploitKit Details:

Landing page:  

MD5 : 2eeeaa69b70944cac8a30545b3f49b77  VT 2 / 45

URL: hxxp://beg.rocklandgrad.com/forum/wm/keys/board.php?connect=17

JAR Files:
MD5: e3675273325b7f7df3b13fe93cd30fac  VT  1 / 45
MD5: 8a6e45d16c82c4c79cbd7730207183ca VT  4 / 45
URL:  hxxp://beg.rocklandgrad.com/forum/wm/keys/WFolw
URL:  hxxp://beg.rocklandgrad.com/forum/wm/keys/7T8INre2

Payload:
MD5: e5a2409ad36943053135ba9bd3e08ba6 VT  3 / 45
URL:  Encrypted Binary
hxxp://down.jjconway.com/backend.php?nomic=638&main=7&watch=112&energy=1121&beta=400&bugs=134&linux=168&rates=371&apply=677&outdoors=1569755419

Bharath M N

Microsoft Essentials Security Pro 2013

Microsoft Essentials Security Pro 2013

New rogue from Braviax/FakeRean rogue family just arrives ahead of the holiday season. It uses the old trick of hijacking file association for executable files.

Screenshot of Microsoft Essentials Security Pro 2013 application 

Bharath M N

The Return of Chameleon Rogue

The Return of Chameleon Rogue

2013 Version of Braviax/FakeRean rogue family has surfaced. Thanks to guys @MBAM for heads up.

Screenshot of XP Defender 2013 application

Screenshot of Win 7 Defender 2013 application

IP's associated with the rogue campaign:

31.184.244.59  
31.184.244.62  
31.184.244.63  

Stay away from these IP's.

Bharath M N

Win 8 Security System

Win 8 Security System

Today we saw a new rogue security application called Win 8 Security System being distributed.

This rogue belongs to Braviax/FakeRean rogue family, which is well known for their series of Chameleon Rogue

Screenshot of Fake/scare scanner page

When tested the fake/scare scanner page was pushing legitimate Windows 7 Calc.exe 

Screenshot of Win 8 Security System application

The latest rogue comes with a filter driver which protects the rogue security application's main file being knocked off from the memory.

Screenshot of Win 8 Security System webpage

The web page of Win 8 Security System web is a complete rip of SUPERAntiSpyware web site. They even have the same management team. 

Following is a small list of other Rogue security applications connected with the same IP as Win 8 Security System. You might also notice that these rogues comes with the brand name Windows Innovation Inc

Screenshot of Great Antispy 2012 application

Screenshot of Windows Security System application

Screenshot of Windows Security System application

Screenshot of Galileo System Cleaner application

Sites associated with the rogue campaign:

31.184.244.59  great-antispy2012.com
31.184.244.59  allwinsecuritysys.com
31.184.244.59  st777st.com
31.184.244.59  win8sec.com 
31.184.244.59  gersmsfn.com

Stay away from these sites.

Bharath M N

From Porn to Fake AV

From Porn to Fake AV

Recently read a post on Kaspersky blog

While looking at this rogue campaign, we noticed the following. A usual fake porn site asking the user to download the fake codec to view the video

 Fake porn site

On their website we saw template background images of AV's such as Avira, Kaspersky and Norton which are used in this campaign.

Unlike old rogue's what we have seen this campaign is a bit different. The malware file (fake codec) doesn't contain any GUI component in it.

You might ask how does it perform a fake/scare scan which is a crucial part of the rogue application. Well, to achieve this the campaign has used a very simple solution. Open Internet explorer and display a webpage, carry on the fake scanning stuff online through this web page.

 The web page opened by the malware uses one of the above mentioned template background image and mimics a scan.

Avira image scan template

Kaspersky image scan template

Norton image scan template

Once the fake scan is complete they use results.php to display the fake infections found on your system.

 Bare scan result without any AV background image

The final step in any rogue campaign is to make the user pay for the junk. Interestingly this campaign doesn't push the user to buy their product. (so far)

 Interesting???

Bharath M N

Facebook

Facebook

The best page I saw for quite sometime! now ppl get back to work :))

And this happens only with my account! Now that's cool.. :))

Cheers

Security Shield

Security Shield

Security Shield is the latest rogue that replaces the long running Security Tool rogue campaign.

Screenshot of Security Shield rogue application

Security Shield removal instructions here

Bharath M N

Three new rogues

Three new rogues

PC optimizer 2010, Privacy Corrector, Privacy Guard 2010 are the latest rogue security applications that has replaced ThinkPoint rogue security application.

Screenshot of Privacy Guard 2010 application

Screenshot of PC optimizer 2010 application

Screenshot of Privacy Corrector application

You can find the removal instructions here

Bharath M N

Internet Security Suite

Internet Security Suite

Internet Security Suite is the latest rogue security application from Virusdoctor rogue family.



More info here

Bharath M N

Security Inspector 2010

Security Inspector 2010

Security Inspector 2010 is a new rogue security application from Unvirex rogue family.

Screenshot of Security Inspector 2010 application

oops! some one forgot to change something here!!

Security Inspector 2010 removal instructions here

Bharath M N