Tuesday, November 27, 2007

Yet another bunch of Rogue Security applications

Yet another bunch of Rogue Security applications


Currently there are four websites distributing clone of SpySheriff Rogue Security application. All the domains share the same IP address 58.65.238.130

Dr-protection.com



Application Screen Shot of Dr-protection


Guard-center.com

Application Screen Shot of Guard-center


Liveantispy.com



Application Screen Shot of Liveantispy



Online-guard.net

Application Screen Shot of Online-guard



Virus total Scan Results:

AhnLab-V3 2007.11.27.1 2007.11.27 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.11.27 not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster 4.3.26:9 2007.11.26 Adware.SpySherif.Gen.2

Detection of these Rogue security applications are poor, Stay away from these sites.

Bharath M N

Tuesday, November 20, 2007

Deuscleaneronline.com

Deuscleaneronline.com


Another Rogue Security application which looks similar to Drive Cleaner Application; The site uses the scare scan tactics to scare the user into purchasing the rogue application. The site registrar is ESTDOMAINS and it uses the IP 24.244.171.69 which is used by other malicious sites.

Detection of the Rogue is really poor. Avoid it at all cost...

Bharath M N

Monday, November 19, 2007

Another List of Zlob distributing Sites

Another List of Zlob Trojan distributing Sites
Stvfirm.com (85.255.118.179)
Ictmanufacture.com (85.255.113.234)
Ocnservice.com (85.255.115.178)
Xvsenterprise.com (85.255.115.179)
Bsplaycodec.com (64.28.184.180)
Detection of the installer from these sites is poor. Stay away from these sites.

Bharath M N

Saturday, November 17, 2007

ElseIf.biz

ElseIf.biz



Yet another site that is used to distribute Zlob Trojan; The site main page states that the domain is suspended; but surely is working as an active repository of Trojan files.


Usually the porn sites use the following fake alert to goad the user into downloading the fake video decoder.

Screenshot of the fake Error Message Box

ElseIf.biz uses the IP Address: 85.255.121.148; Detection of the download from this site is really poor. Stay away from malicious porn sites.


Avoid the site and all its downloads…

The website's name reminds me of the collage days where in we coded in C-language :-)

Code:
if(You are sensible not to download and install codec promoted by porn site)
{
Your system is safe and you need not worry about the Zlob Trojan infection
Exit from the porn trap;
}

else if(you install the codec)
{
Welcome to the world of Zlob infected PC's;
The Trojan will make sure to make you have a terrible experience;
Use tool to remove the infection;
Make a promise never to install a codec pushed from a porn site;
Finally exit from the porn trap;
}

else
{
Wait until the bad guys comes up with a new trick to trap you;
goto CODE
}

Isn’t it a funny code :-)


Bharath MN

Wednesday, November 14, 2007

VirProtect.com

VirProtect.com






Yet another Rogue Security application from SpyLocked group of Rogue security application.

VirProtect is the latest entry to the list; This Rogue is currently advertised by the latest Zlob Trojan. The site uses the IP 85.255.119.126 which is also used by virusray.com (Previous rogue security application released from this group)



Screenshot of the application.


Detection of the rogue is poor.


VirusTotal Scan Result: 7/31 (22.59%)

Avast 4.7.1074.0 2007.11.13 Win32:Spycrush-B
BitDefender 7.2 2007.11.13 Adware.SpyLocked.C
Ikarus T3.1.1.12 2007.11.13 Virus.Win32.Spycrush.B
Kaspersky 7.0.0.125 2007.11.13 not-a-virus:FraudTool.Win32.VirusProtectPro.h
Microsoft 1.3007 2007.11.12 Program:Win32/VirusLocker
Rising 20.18.11.00 2007.11.13 Hack.Win32.VirusProtectPro.a
VBA32 3.12.2.4 2007.11.11 Application.Win32.Adware.VirusProtectPro

Avoid it at all cost…

Bharath M N

Sunday, November 11, 2007

ErrorInspector.com

ErrorInspector.com


A hoax site distributing Rogue Security Application; webpage doesn’t provide any link to download the Application. This rogue Security application is also advertised through the Mediaplex(owned by ValueClick).

Screenshot of ads displayed for ErrorInspector by Mediaplex.


This site also uses the IP 84.243.253.220 which is used by many other Sellmosoft Inc Rogue Security Application.Some of the other Rogue security applications that used/uses this IP are:


1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com
5. ErrorDigger.Com


and many more. Detection on Virustotal is really poor. The application is related to winantivirus(dot)com family of Rogue Security Applications.

Sunbelt CWSandbox Analysis


Avoid it at all cost...


Bharath M N

Another bunch of Zlob Trojan distributing sites

Another bunch of Zlob Trojan distributing sites
Fresh list of sites distributing Zlob Trojans
1. Gneprogram.com (85.255.118.181)
2. Ndcperformance.com (85.255.113.238)
3. Mzdsoftware.com (85.255.113.235)
4. Pkbsolution.com (85.255.118.179)
Avoid download from these sites to keep your system safe.
Bharath M N

Friday, November 9, 2007

ErrorDigger.Com


ErrorDigger.Com




Definitely this Rogue Security Application will dig up a hole in your pocket. The webpage doesn’t provide any link to download the Application. The rogue Security application is advertised through the Mediaplex(owned by ValueClick).
Screenshot of ads displayed for ErrorDigger by Mediaplex .


The site uses the IP 84.243.253.220 which is also used by many other Sellmosoft Inc Rogue Security Application.

Some of the other Rogue security applications that used/uses this IP are:

1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com

and many more. Detection on Virustotal is really poor.

Sunbelt CWSandbox Analysis


Avoid it at all cost...

Bharath M N

Sunday, November 4, 2007

AVSystemCare crazily spreading on Internet

AVSystemCare crazily spreading on Internet







AVSystemCare a well know Rogue security application is wildly spreading on the internet. The application was first sited around May 2007.


Screenshot of AVSystemCare application



The application is aggressively advertised by Zlob Trojans. When a System gets infected by a Zlob Trojan you might receive the following warning message or a similar warning message luring /confusing/goading users to purchase any one of the many AVSystemcare clone application.


Fake security alert displayed Zlob trojan



AVSystemcare scammers are busy cloning their website. Currently they have more than 300 cloned website that shares the same IP-ddress.


Below is the complete list of sites:



[EDIT]

New Scam page of AVSystemCare



Avoid all the sites...



Bharath M N

Saturday, November 3, 2007

Fresh Pack of Zlob Trojan distributing sites

Fresh Pack of Zlob Trojan distributing sites
Few new codec sites distributing Zlob trojans.
zsvcompany(dot)com
bcnproduction(dot)com
mojtechnology(dot)com
vaulimited(dot)com

Typically the download form these sites pretends as a video codec\Image codec for viewing porn on-line but instead installs Zlob trojan\DNS changer trojan on the system.

Usually some porn sites display a message stating that you need to download a special codec to view the porn on-line. Once the user accepts to install the codec the Trojan starts performing its dirty task of downloading Adware’s nagging the users with fake security warning messages.

The fake security warning message informs the user that the system is infected and is vulnerable to Trojan attacks luring the user into running a scan or downloading a security application to remove the infection. The application that the Trojan suggests will definitely be rogue security application.

The main cause of the Zlob Trojan is to goad users into purchasing Rogue security application. New rogue security application and Zlob developers deploy new installer and jump domains constantly in order to prevent the anti-spyware \malware \virus application from detecting them.

Till now the scammers are successful in winning the battle against the Security provided by the anti-malware \spyware \virus products.

Be a bit cautious about the thing you are downloading on a porn site. Always prevention is better than cure.

Bharath MN