A Symphony of Fake Scanner Pages
Here is a list of recently seen fake scanner pages distributing rogue security applications.
SpywareIsolator
Sites used by this rogue:
Site Name: SpywareIsolator.com
IP Address: 72.233.50.150
Site Name: SpywareIso.com
IP Address: 72.233.63.89
Site Name: SpywareIsolator2008.com
IP Address: 72.233.63.94
SpywareIsolator
Sites used by this rogue:
Site Name: SpywareIsolator.com
IP Address: 72.233.50.150
Site Name: SpywareIso.com
IP Address: 72.233.63.89
Site Name: SpywareIsolator2008.com
IP Address: 72.233.63.94
Screen shot of SpywareIsolator Fake/Scare scan pages
Screen shot of SpywareIsolator application
The installer is also pushed from the following site:
Site Name: si-download.net
IP Address: 72.233.63.95
Sample: si-download(dot)net/ landing / distrib / installer_abr.exe
VirusIsolatorSite Name: si-download.net
IP Address: 72.233.63.95
Sample: si-download(dot)net/ landing / distrib / installer_abr.exe
Sites used by this rogue:
Site Name: VirusIsolator.com
Site Name: Virus-Isolator.org
Site Name: Virus-Isolator.us
Site Name: VirusIsolator.us
IP Address: 217.170.77.150
Screen shot of VirusIsolator Fake/Scare scan pages
Screen shot of VirusIsolator application
XP antivirus
Site Name: SecurityScannerSite.com
IP Address: 217.170.77.150
Site Name: Xpprotectionsoftware.com
IP Address: 72.233.81.234
Site Name: SecurityScannerSite.com
IP Address: 217.170.77.150
Site Name: Xpprotectionsoftware.com
IP Address: 72.233.81.234
Screen shot of SecurityScannerSite.com Fake/Scare scan pages
Screen shot of XP antivirus application
The installer is pushed from the following site:
Site Name: XPdownloadcenter.com
IP Address: 72.233.81.234
Sample: XPdownloadcenter(dot)com/download/xpa_eng.exe
Fileshreddersoftware.com also shares the IP 72.233.81.234 which is again a crapware they are exploiting Lavasoft’s application name “File Shredder”.
AntiVirus 2008
Site Name: AntiVirus-Scanner.com
IP Address: 190.15.73.254
Site Name: XPdownloadcenter.com
IP Address: 72.233.81.234
Sample: XPdownloadcenter(dot)com/download/xpa_eng.exe
Fileshreddersoftware.com also shares the IP 72.233.81.234 which is again a crapware they are exploiting Lavasoft’s application name “File Shredder”.
AntiVirus 2008
Site Name: AntiVirus-Scanner.com
IP Address: 190.15.73.254
Screen shot of AntiVirus 2008 Fake/Scare scan pages
Screen shot of AntiVirus 2008 application
The rogue also uses the following site:
Site Name: AntiVirus2008x.com
IP Address: 64.28.177.250
AntiSpywareDeluxe
Site Name: AntiSpywareDeluxe.com
IP Address: 67.205.75.9
Site Name: AntiVirus2008x.com
IP Address: 64.28.177.250
AntiSpywareDeluxe
Site Name: AntiSpywareDeluxe.com
IP Address: 67.205.75.9
Screen shot of AntiSpywareDeluxe Fake/Scare scan pages
Screen shot of AntiSpywareDeluxe application
SpywareDestructor
This is a clone of AntiSpywareDeluxe rogue application.
Site Name: SpywareDestructor.com
IP Address: 67.205.75.9
This is a clone of AntiSpywareDeluxe rogue application.
Site Name: SpywareDestructor.com
IP Address: 67.205.75.9
Screen shot of SpywareDestructor Fake/Scare scan pages
Screen shot of SpywareDestructor application
PcSweeperPro
This is clone of Cleanator Rogue security application. The home page of this rogue currently comes up blank.
Site Name: PcSweeperPro.com
IP Address: 72.55.156.207
This is clone of Cleanator Rogue security application. The home page of this rogue currently comes up blank.
Site Name: PcSweeperPro.com
IP Address: 72.55.156.207
Screen shot of PcSweeperPro Fake/Scare scan pages
The installer that I downloaded was corrupt and wasn’t able to install the application.
Imunizator
Site Name: Imunizator.com
IP Address: 67.205.75.10
Imunizator is a clone of MacSweeper Rogue security application, All Mac user be aware of this rogue.
All the above mentioned sites are active and distributing rogues, Stay away from all of these sites.
Bharath M N
Imunizator
Site Name: Imunizator.com
IP Address: 67.205.75.10
Imunizator is a clone of MacSweeper Rogue security application, All Mac user be aware of this rogue.
Screen shot of Imunizator Fake/ Scare scanner page
All the above mentioned sites are active and distributing rogues, Stay away from all of these sites.
Bharath M N
