MalwarePatrolPro

MalwarePatrolPro

MalwarePatrolPro is a new rogue security application from WinIFixer family of Rogue security applications. As usual this rogue is pushed by Fake codecs.

Site Name: Malwarepatrolpro.com
IP address: 216.240.139.169

Screenshot of MalwarePatrolPro.com site
Screenshot of Fake/Scare Scan used by MalwarePatrolPro


Screenshot of MalwarePatrolPro application

Stay away from this site.

Bharath M N

Malicious sites pushing Malwares

Malicious sites pushing Malwares

Zlob Trojan Distributing sites:

Site Name: Swfplugin.com
IP Address: 85.255.120.107

Site Name: Flwupdate.com
IP Address: 77.91.231.183

DNS Changer Trojan Distributing sites:

Site Name: Endticket.net
IP Address: 64.28.184.173

Stay away from these malicious sites.

Bharath M N

Recent Rogue Applications advertised by MediaTubeCodec Trojans

Recent Rogue Applications advertised by MediaTubeCodec Trojans

Here is a list of new rogue Security applications that was advertised by MediaTubeCodec Trojans on infected systems.


Site Name: Antispywareexpert.com
IP Address: 92.62.100.64

Site Name: Antimalwareguard.com
Site Name: Antispywareexpertpro.com
IP Address: 195.5.117.248

The above mentioned sites distribute similar rogue security application. These applications are from AntiSpywareSolutionPro Inc. group (aka Winfixer).

Screenshot of Scare/fake scan pages used by this group.

Screenshot of the Application

Site Name: Pcprivacycleaner.com
IP Address: 92.62.100.64

Pcprivacycleaner is bogus/rogue privacy protection application by MediaTubeCodec Trojans.

Screenshot of Scare/fake scan pages used by this group.

Screenshot of the Application

Antivirus-2008-pro is a new rogue security application. Its an clone of Kvmsecure rogue application.

Site Name: Antivirus-2008-pro.com
Site Name: Antivirus-2008-pro.info
Site Name: Antivirus-2008-pro.net
Site Name: Antivirus-2008-pro.org
Site Name: Antivirus-2008pro.com
Site Name: Antivirus-2008pro.info
Site Name: Antivirus-2008pro.net
Site Name: Antivirus-2008pro.org
Site Name: Antivirus2008pro.com
Site Name: Antivirus2008pro.info
Site Name: Antivirus2008pro.net
Site Name: Antivirus2008pro.org
IP Address: 62.176.16.161

Screenshot of Scare/fake scan pages used by this group.

Screenshot of the Application

Windows Antivirus 2008 is a yet another rogue security application. It’s a near clone of AntiVirus 2008 rogue security application.

Site Name: Wav2008.com
IP Address: 216.255.186.250

Screenshot of Windows Antivirus 2008 site

Screenshot of Windows Antivirus 2008 application

Stay safe while surfing and don’t visit any of these above mentioned sites.

Bharath M N

Pest-Patrol

Pest-Patrol

Pest-Patrol is a new rogue security application. Not to be confused with the Legitimate PestPatrol from CA (Currently CA Anti-Spyware). Dancho Danchev reported about this rogue a week ago here.

Site Name: Pest-Patrol.com
IP Address: 85.255.121.181

Screenshot of Pest-Patrol.com site

Screenshot of Pest-Patrol application

The rogue also installs a malicious BHO along the application.

BHO Details:

Filename: IEWarning.dll
Objest Name: WarningBHO
Hijack this entry:
O2 - BHO: WarningBHO Class - {56FA7933-DC3E-403b-8D47-BB5E3F345A21} - C:\Program Files\Pest-Patrol\IEWarning.dll

The BHO blocks navigation in IE and displays the following screen (Reported Insecure Browsing Navigation blocked) nagging users into purchasing Pest-Patrol rogue application.

Currently none of the AV/AS vendors detects this Pest. Stay away from this site.

Bharath M N

Malicious sites pushing Malwares

Malicious sites pushing Malwares

Zlob Trojan Distributing sites:

Site Name: Vpcompressor.com
IP Address: 85.255.120.106

Trojan-Downloader Distributing sites:

Site Name: Wetsoftwares.com
IP Address: 78.129.208.105

Stay away from these malicious sites.

Bharath M N

SpyGuarder

SpyGuarder

SpyGuarder is a new Rogue security application currently advertised/pushed by Trojan horse.

Site Name: SpyGuarder.com
IP Address: 208.85.178.132

Screen shot of SpyGuarder site

Screen shot of SpyGuarder Fake/Scare scan pages

Screen shot of SpyGuarder application

SpyGuarder uses Software-payment.com site for payment processing. Beware that this site is also used by many other rogue security applications for payment processing.

The installer was scanned at VirusTotal and here are the scan results:

spyguarder_install.exe:

VirusTotal Scan Result: 3/32 (9.38%)

AntiVir 7.8.0.19 2008.05.22 TR/Dldr.FraudLoa.MC
Rising 20.45.32.00 2008.05.22 Suspicious.Trojan.Win32.VBDownLoader.a
Webwasher-Gateway 6.6.2 2008.05.22 Trojan.Dldr.FraudLoa.MC

spyguarder.exe:

VirusTotal Scan Result: 6/32 (18.75%)

AntiVir 7.8.0.19 2008.05.22 SPR/Fake.WinXDe.A.1
Fortinet 3.14.0.0 2008.05.22 Misc/Defender
Kaspersky 7.0.0.125 2008.05.22 not-a-virus:FraudTool.Win32.Defender.q
Panda 9.0.0.4 2008.05.22 Suspicious file
Prevx1 V2 2008.05.22 Malicious Software
Webwasher-Gateway 6.6.2 2008.05.22 Riskware.Fake.WinXDe.A.1

As you can see detection of the rogue is poor Stay away from this site.

Bharath M N

Advanced XP Fixer

Advanced XP Fixer

Advanced XP Fixer is yet another Rogue from Bakasoftware (Bakasoftware.com) aka Pandora-Software. The application is a clone of WinIFixer application.

Site Name: Advancedxpfixer.com
IP Address: 216.240.139.169

Screen shot of Advanced XP Fixer Fake/Scare scan pages

Screen shot of Advanced XP Fixer application

We can see the traces of WinIFixer in Advanced XP Fixer too.

Stay away from this group.

Bharath M N

Zlob sites update

Zlob sites update

Zlob Trojan Distributing site:
Site Name: Wovview.com
IP Address: 77.91.231.201

Scam Internet Security Page:
Site Name: Protectstartpage.com
IP Address: 85.255.116.212

404Errorpage Scam:
Site Name: Pagednserror.com
IP Address: 85.255.118.244

Security Guide Scam Page:
Site Name: warninglinks.com
IP Address: 85.255.118.214

Reference pages:
www.warninglinks(dot)com/soft/?c=12345
www.warninglinks(dot)com/test/?c=12345

Ad-Server-Gate Pages:
Site Name: Gatewx.com
IP Address: 85.255.118.35

Site Name: Gatevz.com
IP Address: 85.255.118.214

The Ad-Server-Gate pages redirects to fake Security center site Asafetynote.com which promotes Rogue security applications.

Site Name: Asafetynote.com
IP Address: 85.255.118.37

All the above mentioned sites advertise well documented Rogue security applications. Stay away from these sites.

Bharath M N

A fleet of Fake codec distributing sites

A fleet of Fake codec distributing sites

Here is a list of sites recently created to push/host fake codes. Some sites are already live and pushing Trojans and others are potential sites that will be used to push fake codec in future.

IP Address  Site Name

64.28.184.162  Fire-ticket.com

64.28.184.163  Fire-codec.com

64.28.184.163  Light-ticket.com

64.28.184.164  Braketicket.com

64.28.184.164  Mooncodec.net

64.28.184.165  Light-codec.com

64.28.184.165  Turbo-ticket.com

64.28.184.166  Space-codec.com

64.28.184.166  Ultra-ticket.com

64.28.184.167  Brakecodec.com

64.28.184.167  Demo-ticket.com

64.28.184.168  Demoticket.net

64.28.184.168  Hq-ticket.com

64.28.184.168  Turbo-codec.com

64.28.184.169  Hqticket.com

64.28.184.169  End-ticket.com

64.28.184.169  Nitro-codec.com

64.28.184.170  Hqticket.net

64.28.184.170  Clean-ticket.com

64.28.184.170  Red-codec.com

64.28.184.171  Black-codec.com

64.28.184.171  Viva-ticket.com

64.28.184.171  Niceticket.net

64.28.184.172  Endticket.com

64.28.184.172  Ultra-codec.com

64.28.184.172  Wot-ticket.com

64.28.184.173  Mega-codec.net

64.28.184.173  Storm-ticket.com

64.28.184.174  Megaz-ticket.com

64.28.184.174  Vipcodec.net

64.28.184.175  Democodec.net

64.28.184.175  Giga-ticket.com

64.28.184.176  Demo-codec.net

64.28.184.176  Uin-ticket.com

64.28.184.177  Hopeticket.com

64.28.184.177  Hq-codec.net

64.28.184.178  Best-codec.com

64.28.184.178  Hope-ticket.com

64.28.184.179  Endcodec.net

64.28.184.179  Zero-ticket.com

64.28.184.180  End-codec.net

64.28.184.180  Pop-ticket.com

64.28.184.181  Cleancodec.net

64.28.184.181  Yupticket.com

Stay away from all these sites.

Bharath M N

New scam sites

New scam sites

Here is the list of a few new sites used by the scammers to advertise and push well documented rogue applications.

Sites pushing VirusIsolator Rogue:

Site Name: Virus-isolator.com
Site Name: Virus-isolator.net
IP Address: 217.170.77.150

Also the following address is used to stealthy install VirusIsolator rogue:
hxxp://62.176.16.161/bingo/Installer.exe

Sites pushing SpywareIsolator Rogue

Site Name: Spywareiso2008.com
IP Address: 72.233.62.16

Site Name: Si-install.net
IP Address: 72.233.62.20

Sample:
hxxp://si-install.net/distrib/installer_abr.exe

Sites pushing VipAntiSpyware Rogue

Site Name: Vipantispy.com
Site Name: Vipantisetup.net
IP Address: 217.150.254.4

Sample:
hxxp://vipantisetup.net/distrib/installer.exe

Stay away from all these Rogue distributing sites.

Bharath M N

KvmSecure

KvmSecure

KvmSecure is a new rogue Anti-Virus application. KvmSecure is a near clone of “XP antivirus” rogue application.

Site Name: KvmSecure.com
Site Name: Kvm-Secure.com
IP Address: 62.176.16.161

Screenshot of KvmSecure.com site

Screenshot of KvmSecure Fake/Scare scanner page

Screenshot of KvmSecure application

The rogue uses Software-payment.com site for payment processing. Beware that this site is also used by many other rogue security applications for payment processing.

Further following two sites share the same IP address with KvmSecure sites

Site Name: Sextubecodec93.com
Site Name: Sexycodecadult.com

Both these sites pushes Trojan MediaTubeCodec.

Stay away from all these sites.

Bharath M N

Malicious sites pushing Malwares

Malicious sites pushing Malwares

Zlob Trojan Distributing sites:

Site Name: Movappliance.com
IP Address: 85.255.118.180

Trojan-Downloader Distributing sites:

Site Name: Soft-reviews21.com
IP Address: 217.170.77.150

Stay away from these malicious sites.

Bharath M N

Bakasoftware’s saga continues

Bakasoftware’s saga continues

Bakasoftware (Bakasoftware.com) aka Pandora-Software is again busy releasing new rogue applications.

Advanced XP Defender is the new rogue from this group.

Site Name: Advancedxpdefender.com
IP Address: 216.240.138.207

Screen shot of Advanced XP Defender Fake/Scare scan pages

Screen shot of Advanced XP Defender application

Advanced XP Defender is a clone of WinIFixer application the scammers are so lazy that they even have left the traces of WinIFixer name in Advanced XP Defender application.

The group also uses many sites to push WinIFixer another rogue from the same group. Following are the different sites that are used for advertising WinIFixer.

Site Name: Winifixer.net
Site Name: Winifixer.org
Site Name: Winqfixer.com
IP Address: 216.240.138.207

Screen shot of WinIFixer Fake/Scare scan pages

The following is the affiliate program site

Site Name: Bakasoftware.net
IP Address: 216.240.138.206

Stay away from these sites.

Bharath M N

XP-Shield

XP-Shield

XP-Shield is bogus/rogue antispyware software recently released by the scammers.

Site Name: XP-Shield.com
IP Address: 88.214.200.140

XP-Shield uses the same standard homepage which is also used by many other scam/rogue/crapware applications.

The site XPshield.com also shares the same IP address and currently just redirects to XP-Shield.com site.

Screenshot of XP-Shield application

The application just does a fake scan on the system and ask user to purchase the full version to remove the fake threats detected on the system. None of the scanners on Virustotal Flags this file as malicious.

Stay away from this site.

Bharath M N

New set of sites distributing Zlob, DNS Changer and Trojan-Downloader

New set of sites distributing Zlob, DNS Changer and Trojan-Downloader

Zlob Trojan Distributing sites:

Site Name: Mpeghelper.com
IP Address: 85.255.120.109

Site Name: Avihelper.com
IP Address: 85.255.113.219

DNS Changer Trojan Distributing sites:

Site Name: Hqticket.net
IP Address: 64.28.184.170

Trojan-Downloader Distributing sites:

Site Name: Getavideonow.com
IP Address: 78.129.158.225

All the above mentioned sites registrant is ESTDOMAINS, INC. Stay away from these malicious sites.

Bharath M N

New Component sites from SSH Zlob Trojan

New Component sites from SSH Zlob Trojan

What’s New? Well they have designed a pair on new icons that is usually placed on the desktop of the infected machine and below is the rest of the story.

Zlob Trojan Distributing sites

Site Name: Wmvtool.com
IP Address: 85.255.120.110

Site Name: Avitool.com
IP Address: 85.255.118.178


Scam Internet Security Page:
Site Name: Instantsafepage.com
IP Address: 85.255.116.212

Screenshot of Instantsafepage.com site

404Errorpage Scam:
Site Name: Iednsallerror.com
IP Address: 85.255.118.242

Screenshot of Iednsallerror.com site

Also the sites Dnspoles.com and 404dnspage.com shares the same ip and its also a 404Errorpage Scam component site.

Security Guide Scam Page:
Site Name: Safeshortcuts.com
IP Address: 85.255.118.210

Screenshot of Safeshortcuts.com/soft page

Screenshot of Safeshortcuts.com/test/ page

Ad-Server-Gate Pages:
Site Name: Gategq.com
IP Address: 85.255.118.37

Site Name: Gatebm.com
IP Address: 85.255.118.38

The Ad-Server-Gate pages redirects to fake Security center site Secureinfotool.com which promotes Rogue security applications.

Site Name: Secureinfotool.com
IP Address: 85.255.118.34

Screenshot of Secureinfotool.com site

Also the following site is used in Zlob tool bar to redirect users to malicious domains.

Site Name: Toolbarset.com
IP Address: 85.255.118.36

All the above mentioned sites advertise well documented Rogue security applications. Stay away from these sites.

Bharath M N