Bharath's Security Blog: 2008

Monday, December 15, 2008

New rogue Security Applications

Antivirus 360

Antivirus 360 is a new rogue security application replacing Antivirus 2009. More info here.

MS Antispyware 2009

MS Antispyware 2009 is a new rogue security application from WinSpywareProtect family. More info here.

Bharath M N

Wednesday, December 3, 2008

Nano Antivirus

Nano Antivirus is a new rogue security application.

More info here

Bharath M N

Wednesday, November 12, 2008

Virus Trigger

Virus Trigger is a new rogue security application.

More info here

Bharath M N

Friday, October 31, 2008

Win Defender 2009

Win Defender 2009 is a new member of IEDefender family of rogue security applications.

More info here

Bharath M N

Thursday, October 23, 2008

AntiSpyware XP 2009

AntiSpyware XP 2009 is a new rogue from WinReanimator family.

More info here.

Bharath M N

Wednesday, October 22, 2008

Pro Antispyware 2009

Pro Antispyware 2009 is a new member of WinSpywareProtect family of rogue security applications.

More info here

Bharath M N

Monday, October 20, 2008

New Rogues from Innovagest 2000 group

Spy Protector and Security 2009 are the new rogue securoty application from Innovagest 2000 group. More info here.

Stay away from this group.

Bharath M N

Sunday, October 19, 2008

PC Defender 2008

PC Defender 2008 is a new rogue clone from Winifixer family.

More info here.

Bharath M N

Friday, October 10, 2008

Rogue Security application update

A few rogue security application seen in the wild:

Rogues from Innovagest 2000 family:

eAntivirusPro

AntiMalware 2009

ekerberos

More information here.

XP AntiSpyware 2009 advertised through Trojan-Downloader.braviax more information here.

Antivirus 2010 from the makers of IEdefender more information here.

Rapid Antivirus from SpywareNo family more information here.

Stay away from all these rogues.

Bharath M N

Monday, September 15, 2008

AntiVirus Lab 2009

AntiVirus Lab 2009 is a new rogue security application from SSH Zlob trojan family.

More info here

Bharath M N

Friday, September 12, 2008

New Rogue Security applications

A list of the recent rogue security applications can be found here, here and here

Bharath M N

Zlob Site Updates

A update on recent Zlob trojan Distributing sites and its component sites can be found here, here and here

Bharath M N

Friday, September 5, 2008

Smart Antivirus 2009

Smart Antivirus 2009 is a new rogue security Application.

More info here

Bharath M N

Friday, August 29, 2008

Total Secure 2009

Total Secure 2009 is a new rogue security product from IEDefender family.

More info here

Bharath M N

Tuesday, August 26, 2008

SpywarePreventer

SpywarePreventer is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: SpywarePreventer.com
IP Address: 216.255.186.253

Screenshot of SpywarePreventer site

Screenshot of SpywarePreventer application

Stay away from this site.

Bharath M N

Friday, August 22, 2008

Power Antivirus

Power Antivirus is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: Pwrantivirus.com
IP Address: 91.208.0.231

Screenshot of Power Antivirus site

Site Name: Scanner-Pwrantivirus.com
IP address: 91.208.0.246

Screenshot of Scare/fake scanner pages used by Power Antivirus

Screenshot of Power Antivirus application

One Rogue up and a few more clones follows it up. This group seems to be really busy cloning their application. Stay away from these sites.

Bharath M N

XPert Antivirus Enterprise

XPert Antivirus Enterprise is yet another rogue security application from SpywareNo\ SpySheriff Family of rogue security application.

Site Name: Xpertantivirus.com
IP Address: 91.208.0.230

Screenshot of XPert Antivirus Enterprise site

Site Name: Scanner-xpertantivirus.com
IP address: 91.208.0.246

Screenshot of Scare/fake scanner pages used by XPert Antivirus Enterprise

Screenshot of XPert Antivirus Enterprise application

Stay away from these sites.

Bharath M N

Thursday, August 21, 2008

MS Antivirus is a new rogue security application from SpywareNo\ SpySheriff Family of rogue security application. The application is a clone of Vista Antivirus 2008 rogue security application.

Site Name: Msantivirusxp.com
IP Address: 91.208.0.229

Screenshot of MS Antivirus site

Site Name: Msscanner.com
IP address: 91.208.0.228

Screenshot of Scare/fake scanner pages used by MS Antivirus

Screenshot of MS Antivirus application

Stay away from these sites.

Bharath M N

Sunday, August 17, 2008

XP-Guard

XP-Guard is a new rogue security application from SpywareNo\ SpySheriff Family of rogue security application. The application is a near clone of XP-Shield rogue security application.

This group calls themselves as "Pandora Software" any Security related application from this group should be avoided.

Site Name: XP-Guard.com
IP Address: 92.62.101.35

Screenshot of XP-Guard site

Screenshot of XP-Guard application

Stay away from this sites.

Bharath M N

Antivir64

Antivir64 is new rogue security application. The application is a near clone of Win Antivir 2008/ Win Antivirus 2008 rogue security application.

Site Name: Antivir64.com
IP Address: 78.157.142.7

Screenshot of Antivir64 site

Screenshot of Scare/Fake scanner page used by Antivir64

Screenshot of Antivir64 application

This group is very busy releasing new clones every week and constantly use new websites to scam users.

Following sites belongs to the same group

Xpertantivirus.com
Pwrantivirus.com
Powerantivirus2009.com
Powerantivirus-2009.com
Defender-scan.com
Watcher-scan.com

Stay away from these sites.

Bharath M N

Saturday, August 16, 2008

Friday, August 15, 2008

Happy Independence Day

Happy Independence Day

Vande Mataram

Wishing you a very Happy Independence Day

BHARATH

Monday, August 11, 2008

Internet Antivirus

Internet Antivirus is a new rogue security application.

Site Name: Internet-Antivirus.com
IP Address: 216.32.69.165

Screenshot of Internet Antivirus site

Site Name: IA-Scanner.com
IP Address: 216.32.69.162

Screenshot of Scare/Fake scanner pages used by Internet Antivirus

Screenshot of Internet Antivirus application

The rogue also uses Software-Payment.com for payment processing. Software-Payment.com is used by many rogue security applciations for payment processing.

Following sites also belongs to the same family

Site Name: IA-Payment.com
Site Name: IA-License.com
Site Name: IA-Support.com
IP Address: 216.32.69.165

The rogue is pretty new detections of this rogue is really poor. Stay away from all these sites.

Bharath M N

Saturday, August 9, 2008

Antispyware 2008 XP

Antispyware 2008 XP is a rogue security application. Antispyware 2008 XP is a clone of WinSpywareProtect/ Antivirus 2008 XP rogue security application

Site Name: Antispyware2008scanner.com
IP Address: 85.255.119.149

Screenshot of Scare/Fake scanner pages used by Antispyware 2008 XP

Screenshot of Antispyware 2008 XP application

The scanner pages uses the following site to push Antispyware 2008 XP installers:

Site Name: AS2008dl.com
IP Address: 85.255.118.69

Reference links: dwl.as2008dl. com/load/setup_100542_4_.exe

Which furthers downloads the application from the following site

Site Name: Getas2008xp.com
IP Address: 85.255.119.132

Reference links: dl.getas2008xp. com/get/?type=scanner&pin=100542&lnd=4

Further there are many other sites that is used by this family of rogue security application. Below is a list of sites that belongs to this family.


IP Address   Site Name

85.255.118.226    Wspldrept.com
85.255.118.226    Wspexrept.com
85.255.119.154    Wspreprt.com
85.255.119.26     Winspywareprotection.com
64.28.185.138     Winspywareprotect2008.com

85.255.119.30     Av2008sales.com
85.255.119.158    Avcntxp.com
85.255.119.158    Avcntxp.com
85.255.119.150    Av2008check.com

85.255.119.156    As2008rep.com
85.255.119.29     Antispywaresales.com
85.255.118.228    Woeiruweoriu.com
85.255.118.227    Idreptavxp.com

Stay away from all these sites.

Bharath M N

Wednesday, August 6, 2008

Sunday, August 3, 2008

More Rogue Security applications

PyroAntiSpy

PyroAntiSpy is new rogue security application from SpyLocked family of Rogue security applications.

Thanks to Donna for the information

Site Name: Pyroantispy.com
IP Address: 207.226.174.20

Screenshot of PyroAntiSpy site

Site Name: Fastpyroscan.com
IP Address: 207.226.174.20

Screenshot of Scare/Fake scanner page used by PyroAntiSpy

Screenshot of PyroAntiSpy application

Antivirus 2008 XP

Antivirus 2008 XP is a rogue security application. Antivirus 2008 XP is a clone of WinSpywareProtect rogue security application

Site Name: Antivirus2008xp.com
IP Address: 216.195.50.93

Secreenshot of Antivirus 2008 XP site

Site Name: Antivirus2008scanner.com
IP Address: 85.255.119.150

Screenshot of Scare/Fake scanner pages used by Antivirus 2008 XP

The scammer are not only mimicking Google's Malware warning page to advertise Antivirus 2008 XP but also falsely claims that their scanner is powered by BitDefender scanning engine. Dont fall for these false claims.

Screenshot of Antivirus 2008 XP application

The scanner pages uses the following site to push Antivirus 2008 XP installers:

Site Name: Av2008dl.com
IP Address: 85.255.118.70

Reference links: dwl.av2008dl. com/load/setup_1_2_.exe

Which furthers downloads the application from the following site

Site Name: Av2008store.com
IP Address: 85.255.119.134

Reference links: dl.av2008store. com/get/?type=scanner&pin=1&lnd=2

Stay away from all these sites.

Bharath M N

Friday, August 1, 2008

Thursday, July 31, 2008

Power Antivirus 2009

Power Antivirus 2009 is new rogue security application. The application is a near clone of Win Antivir 2008/ Win Antivirus 2008 rogue security application.

Heads up to Jason for the information.

Site Name: Power-antivirus-2009.com
IP Address: 91.208.0.233

Secrrenshot of Power Antivirus 2009 site

Screenshot of Scare/Fake scanner page used by Power Antivirus 2009

Screenshot of Power Antivirus 2009 application

Stay away from all this site.

Bharath M N

Wednesday, July 30, 2008

WinSpywareProtect rogue distributing sites:

Scare/Fake scanner page:
Site Name: Scan.Wsp2008scanner.com
IP Address: 85.255.119.146

The installer is downloaded from the following site:
Site Name: Dwl.getwsp.com
IP Address: 85.255.118.66

SpyShedder rogue distributing site
Site Name: Shredder-scan.com
IP Address: 91.208.0.243

WinXDefender rogue distributing site
Site Name: Win-x-defenders.com
IP Address: 91.208.0.243

The site Win-x-defender.com also shares the same IP Address.

Win Antivir 2008

Win Antivir 2008 is the latest rogue security application from SpywareNo/SpySheriff family. Its a near clone of WinXSecurityCenter rogue security application.

Site Name: Win-antivir-2008.com
IP Address: 91.208.0.234

Screenshot of Win Antivir 2008 site

Screenshot of Scare/Fake scanner page used by Win Antivir 2008

Screenshot of Win Antivir 2008 application

Win Antivirus 2008

Win Antivirus 2008 is a near clone of Win Antivir 2008 rogue security application.

Site Name: Win-antivirus-2008.com
IP Address: 91.208.0.253

Screenshot of Win Antivirus 2008 application

WinDefender 2008

WinDefender 2008 is a rogue security application.

Site Name: Win-defender.com
IP Address: 207.226.179.162

Screenshot of Scare/Fake scanner page used by WinDefender 2008

Screenshot of WinDefender 2008 application

Following are the sites involved in this scam

Site Name: Trafficrotator.net
IP Address: 207.226.179.165

Reference: Trafficrotator. net/MTAwNg== which further redirects to one of the following Scare/Fake scanner sites

Site Name: Internetscannerlive.com
Site Name: Netscannerlive.com
Site Name: Webscanneronline.com
IP Address: 207.226.179.163

The following sites are also involved in distributing WinDefender 2008 rogue security application

Site Name: Dns-problem.com
IP Address: 207.226.179.147

Dns-problem. com site is a fake DNS error page which redirects to WinDefender 2008 registration page. Heads up to Malekal for posting it

Site Name:Registerwindefender.com
IP Address: 207.226.179.148

Stay away from all these sites.

Bharath M N

Sunday, July 27, 2008

TheSpyBot Promo site

The site mentioned below is a promo site advertising TheSpyBot Rogue security application from SpywareNo/SpySheriff family.

Site Name: TheSpyBotpromo.com
IP Address: 207.176.7.6
Registrar: ESTDOMAINS, INC.

Screenshot of Fake/Scare scan pages used by TheSpyBot application

You may have noticed "TheSpyBot ActiveScan with TruPrevent" in one of the scare/fake scanner pages screenshot, The scammers are exploiting the name TruPrevent which is developed by Panda Security. You may also notice that SpyWatchE and TheSpyBot names mentioned in the same scanner page.

ScreenShot of TheSpyBot Application

Stay away from this site.

Bharath M N

Wednesday, July 23, 2008

Malware distributing sites

Trojan-Downloader Distributing sites

Site Name: Iwillseethatvideo.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: BHO.ext2 - {401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A} - C:\WINDOWS\system32\ieflt.dll

Site Name: Comeforvidsoft.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: search toolbar - {7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6} - C:\WINDOWS\system32\tbsrch.dll

These sites belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application.

MediaTubeCodec Trojan Distributing site:

Site Name: Best-soft-maxi.com
Site Name: Best-freeware2008.com
Site Name: Soft2008freeware.com
IP Address: 91.203.70.18

Stay away from these sites.

Bharath M N

Ad-Server-Gate Pages:
Site Name: Asgates.com
IP Address: 85.255.118.214

Site Name: Qwgates.com
IP Address: 85.255.118.212

The Ad-Server-Gate pages redirects to fake Security center site Allsecurenews.com which promotes Rogue security applications.

Site Name: Allsecurenews.com
IP Address: 85.255.118.213

Other component sites

Site Name: Browseroption.com
IP Address: 216.255.179.244

http://www.Browseroption(dot)com/redirect.php -> redirects to scan.wspscanner.com, which is a fake/scare scan page used to push WinSpywareProtect rogue security application.

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Antivirus Master

Antivirus Master is new rogue security application. The application is a clone of Vista Antivirus 2008 rogue security application.

Site Name: Anvimaster.com
IP address: 91.208.0.240

Screenshot of Antivirus Master website

The scammers even forgot to replace the Vista Antivirus 2008 logo

Site Name: Anvi-scanner.com
IP address: 91.208.0.252

Screenshot of Scare/fake scanner pages used by Antivirus Master

Screenshot of the Antivirus Master appplication

The scammers had used the same Scare/fake pages for promoting Vista Antivirus 2008

Here is the list of such sites:

Site Name: Vav-scan.com
Site Name: Vav-scanner.com
Site Name: Vavscan.com
Site Name: Vav-xscanner.com
Site Name: Vav-x-scanner.com

Vitae Antivirus 2008 is also clone of the above said rogue

Site Name: Vit-scanner.com
Site Name: Vit-xscanner.com
Site Name: Vit-x-scanner.com

Screenshot of Scare/fake scanner pages used by Vitae Antivirus 2008

Screenshot of the Vitae Antivirus 2008 appplication

Stay away from all these sites.

Bharath M N

Monday, December 15, 2008

Wednesday, December 3, 2008

Wednesday, November 12, 2008

Friday, October 31, 2008

Thursday, October 23, 2008

Wednesday, October 22, 2008

Monday, October 20, 2008

Sunday, October 19, 2008

Friday, October 10, 2008

Monday, September 15, 2008

Friday, September 12, 2008

Friday, September 5, 2008

Friday, August 29, 2008

Tuesday, August 26, 2008

Friday, August 22, 2008

Thursday, August 21, 2008

Sunday, August 17, 2008

Saturday, August 16, 2008

Friday, August 15, 2008

Monday, August 11, 2008

Saturday, August 9, 2008

Wednesday, August 6, 2008

Sunday, August 3, 2008

Friday, August 1, 2008

Thursday, July 31, 2008

Wednesday, July 30, 2008

Sunday, July 27, 2008

Wednesday, July 23, 2008

About Me

Blog Archive