Monday, June 30, 2008

Zlob sites update

Zlob sites update


Zlob Trojan Distributing site:
Site Name: Wmvcompressor.com
IP Address: 77.91.231.201

Site Name: Mpegsystem.com
IP Address: 85.255.120.108

Scam Internet Security Page:
Site Name: Safebrowsenow.com
IP Address: 85.255.116.214

404Errorpage Scam:
Site Name: Dnsfails.com
IP Address: 85.255.118.242

Security Guide Scam Page:
Site Name: Securefreelinks.com
IP Address: 85.255.118.36

Reference pages:
www.Securefreelinks(dot)com/soft/?c=05333
www.Securefreelinks(dot)com/test/?c=05434

This links redirects user to different Scare/fake scanner pages, The new scare scan site in the list is:

Scare/Fake scanner page:
Site Name: Virus-webscanner.com
IP Address: 89.149.197.240

Ad-Server-Gate Pages:
Site Name: Gatefb.com
IP Address: 85.255.118.35

Site Name: Gatedv.com
IP Address: 85.255.118.38

Site Name: Gatefr.com
IP Address: 85.255.118.212

Site Name: Gateht.com
IP Address: 85.255.118.211

Reference links:
Gatefb(dot)com/gatevc.php?pn=srch0p1total7s2&c=841041
Gateht(dot)com/gatevc.php?pn=srch0p1total7s2&c=841041
Gatedv(dot)com/gatevc.php?id=icn02
Gatefr(dot)com/gatevc.php?id=icn02

The Ad-Server-Gate pages redirects to fake Security center site Howtoprotectpc.com which promotes Rogue security applications.

Site Name: Howtoprotectpc.com
IP Address: 85.255.118.211

howtoprotectpc(dot)com/v6/01-sad42k/

Other component sites

Site Name: Gateforietool.com
IP Address: 16.255.179.243

www.gateforietool(dot)com/redirect.php-> redirects to scan.wspscanner.com, which is a fake/scare scan page used to push WinSpywareProtect rogue security application.

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Centod

Centod

Centod Anti-Spyware 2008 is a new rogue security application. The website used by the rogue is an exact copy of Zinaps Rogue security application

Screenshot of Centod website

Site Name: Centod.com
IP Address: 216.150.79.76

Two more rogue security application lines up in the same IP range

Site Name: Zinaps.com
IP Address: 216.150.79.75

Site Name: Awola.com
IP Address: 216.150.79.74

The time i checked the download available on the site installed Awola Rogue security application. Below is the screenshot of the application available on the Centod website



The site has not yet reported for active malware distribution, its better to stay away from the site.

Bharath M N

Sunday, June 29, 2008

Antivirus XP 2008

Antivirus XP 2008

Antivirus XP 2008 is a new rogue security application from Pandora Software group. The application is a clone of WinIFixer rogue security application.

Antivirus XP 2008 claims to be a powerful mix of Anti-Malware, Anti-Virus, Anti-Trojan, Anti-Backdoor, Anti-Worm and Anti-PornoDial in one program, surely is a powerful mix of tricks behind your money.

Sites involved:

Site Name: AntivirusXP08.com
IP Address: 85.255.120.115

Site Name: Antivirusxp2008.com
IP Address: 69.50.160.212

Screenshot of Antivirus XP 2008 website

Screenshot of Scare/fake scanner page used by Antivirus XP 2008

Screenshot of Antivirus XP 2008 Application


As usual Sunbelt detects this application as rogue, the overall detection of the application is still poor.

[Update]

Following sites are also involved in this scam.

Site Name: Avxp08.com
Site Name: Avxp2008.com
Site Name: Antivirxp08.com
Stay away from the site.

Bharath M N

Saturday, June 28, 2008

Antivirus 2009

Antivirus 2009

Thanks to TeMerc for the heads up.

"Antivirus 2009" / "Antivirus 2009 Professional" is yet another rogue security application. The application is a near clone of the "Antivirus 2008" series of Rogue security applications.

Sites involved in this scam:

Site Name: Antivirus-2009.com
IP Address: 72.233.81.106

Site Name: Antivirus2009-Scanner.com
IP Address: 89.149.202.115

Site Name: Antivirus-Database.com
IP Address: 72.233.81.106

Site Name: Antivirus2009Professional.com
IP Address: 72.233.81.106

Screenshot of Antivirus 2009 website

Screenshot of Scare/fake scan page used by Antivirus 2009

Screenshot of Antivirus 2009 application


Stay away from all these sites.

Bharath M N

Spyware Scanner 2008

Spyware Scanner 2008

Spyware Scanner 2008 is a clone of SpywareIsolator rogue security application

Sites involved in promoting this scam are

Site Name: Waytoprotect.com
IP Address: 72.233.62.21

Site Name: Spywareisoscanner.com
IP Address:72.233.62.18

Site Name: Spywareisodownload.com
IP Address: 72.233.62.19

Screenshot of Spyware Scanner 2008 website

Screenshot of Scare/Fake scan pages used by Spyware Scanner 2008

Screenshot of Spyware Scanner 2008 application

Here is the flow of the scam:

Waytoprotect.com redirects the users to Scare/Fake scanner page on Spywareisoscanner.com site which in turn lure users into downloading the rogue installer from Spywareisodownload.com website

Reference Links:

Waytoprotect.com/spywarescanner/
Spywareisoscanner.com/landing/newscan.php?wmid=
Spywareisodownload.com/download.php?wmid=

Stay away from these sites.

Bharath M N

Friday, June 27, 2008

Doctor Antivirus 2008

Doctor Antivirus 2008

Doctor Antivirus 2008 is yet another clone of Antivirus 2008 series rogue security application.

Site Name: DoctorAntivirus2008a.com
Site Name: Doctor-Antivirus.com
IP Address: 88.214.198.120

Screenshot of Doctor Antivirus 2008 website

Screenshot of Scare/Fake scan page used by Doctor Antivirus 2008

Screenshot of Doctor Antivirus 2008 application



The installer file was scanned at VisusTotal ans only one scanner picked up the file as suspicious

eSafe 7.0.17.0 2008.06.26 Suspicious File

Stay away from these sites.

Bharath M N

WinXSecurityCenter

WinXSecurityCenter

WinXSecurityCenter is the latest rogue security application from SpywareNo/SpySheriff family. Its a successor of Winxprotector rogue security applciation

Site Name: WinXSecurityCenter.com
IP Address: 92.241.171.27

Screenshot of WinXSecurityCenter.com site

Screenshot of WinXSecurityCenter application

A handful of scanners detects this rogue and its better to keep away from this site.

Bharath M N

List of Malicious Sites

List of Malicious Sites

Zlob Trojan Distributing site:

Site Name: Flwview.com
IP Address: 85.255.120.106

Site Name: Mpegapparatus.com
IP Address: 77.91.231.183

Site associated with Zlob trojan:

Site Name: Dwnldietool.com
IP Address: 216.255.179.242

The site is used to redirect the users to latest Fake/Scare scan pages to trick them into purchasing the rogue security applications.

Reference links:
www.dwnldietool(dot)com/redirect.php

DNS Changer Trojan Distributing sites:

Site Name: Stormticket.com
IP Address: 64.28.184.177

Site Name: Megazticket.com
IP Address: 64.28.184.178

Trojan.FakeAlert Distributing sites:

Site Name: Softwareinfodl.com
IP Address: 77.92.88.15

All these sites are serving Trojans stay away from them.

Bharath M N

Thursday, June 26, 2008

PestSweeper

PestSweeper

PestSweeper is yet another Rogue Security application from Innovagest2000 SL/ Pandora Software

Site Name: PestSweeper.com
IP Address: 66.232.126.159

Screenshot of the PestSweeper website

Screenshot of PestSweeper application


Sunbelt detects this application as rogue, but the overall dection of the application is poor stay away from the site.

Bharath M N

Monday, June 23, 2008

More Scam Sites

More Scam Sites

Following are the list of malicious sites that host Trojans

Site Name: Downloaditrightnow.com
Site Name: Ilovethatdownload.com
Site Name: Gogodownnn.com
IP Address: 77.92.88.15

The trojan downloaded from these sites install a malicious BHO which displays the following scam error messages



These error messages then takes the user to following Fake/Scare scan pages


Site Name: Free-viruscan.com
IP Address: 58.65.238.34

Site Name: Fast-viruscanner.com
IP Address: 89.149.226.22


Finally it downloads IE-Antivirus a rogue application from IE-Defender family

Site Name: IE-Antivirus.com
Site Name: IEAvdownloadstart.com
IP Address: 77.92.88.80


Site Name: IEAvfreedownload.com
IP Address: 78.129.202.15


Stay safe and don't visit any of these sites.

Bharath M N

Thursday, June 19, 2008

Zlob sites update

Zlob sites update

Zlob Trojan Distributing site:
Site Name: Movupdate.com
IP Address: 77.91.231.201

Site Name: Flwdirection.com
IP Address: 85.255.120.106

Scam Internet Security Page:
Site Name: Homesecurepage.com
IP Address: 85.255.116.210

404Errorpage Scam:
Site Name: Nopagedns.com
IP Address: 85.255.118.245

Security Guide Scam Page:
Site Name: Warningurls.com
IP Address: 85.255.118.37

Reference pages:
www.Warningurls(dot)com/soft/?c=05333
www.Warningurls(dot)com/test/?c=05434

Ad-Server-Gate Pages:
Site Name: Gatebs.com
IP Address: 85.255.118.37

Site Name: Gatefc.com
IP Address: 85.255.118.214

Reference links:
gatebs(dot)com/gatevc.php?pn=srch0p1total7s2&c=55832
gatefc(dot)com/gatevc.php?id=icn02

The Ad-Server-Gate pages redirects to fake Security center site Anysafereviews.com which promotes Rogue security applications.

Site Name: Anysafereviews.com
IP Address: 85.255.118.212

anysafereviews(dot).com/pp/01-byu8kl/

Other component sites

Site Name: Sysmergerer.com
IP Address: 85.255.117.204

http://www.sysmergerer(dot)com/get.php?partner=192 -> downloads Antispycheck Rogue security application

Site Name: Iexplorergate.com
IP Address: 216.255.179.245

Site Name: Wspscanner.com

http://www.iexplorergate(dot)com/redirect.php -> redirects to scan.wspscanner.com, which is a fake/scare scan page used to push WinSpywareProtect rogue security application.

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Advanced Antivirus

Advanced Antivirus

Advanced Antivirus is the latest rogue from the SSH Zlob Trojan family. The application is a clone of AntiVirus 2008 rogue security application.

Site Name: AAV2008.com
IP address: 216.255.186.252

Screenshot of Advanced Antivirus site

Screenshot of Advanced Antivirus application


Stay away from this site.

Bharath M N

Saturday, June 14, 2008

An Absolute Scam

An Absolute Scam

While I was surfing suddenly this screen popped up. A NOD32 Antivirus alert?



Well, I was wondering when did I install NOD32 on my system? Then I remembered that I had seen that screenshot on S!Ri’ s blog here and recently seen on Paperghost’s blog here.

Further digging revealed that my system was free from infection and the popup that displayed was actually a webpage.


Screenshot of the popups used by the scammers






Well here’s the website detail;

Site Name: Entiremedianet.com
IP Address: 63.219.178.162

The site is involved in distributing well documented rogue security applications like Pc-Antispyware and Pc-Cleaner

Here is the list of other sites that is used in this scam.

Site Name: Antispyware-review.biz
Site Name: Antispyware-reviews.biz
IP Address: 67.19.120.130

Site Name: Pc-Antispyware.com
IP Address: 209.8.45.26

Site Name: Pc-Cleaner.com
IP Address: 209.8.45.18

Reference links:
http://entiremedianet(dot)com/P/s1/
http://entiremedianet(dot)com/P/s2/
http://entiremedianet(dot)com/P/s3/
http://entiremedianet(dot)com/P/s5/

Stay away from all these sites.

Bharath M N

Thursday, June 12, 2008

List of Malicious Sites

List of Malicious Sites

Zlob sites update:

Zlob Trojan Distributing site:
Site Name: Aviexecution.com
IP Address: 77.91.231.183

Site Name: Mpegupdate.com
IP Address: 85.255.120.108

Site Name: Flwassistant.com
IP Address: 77.91.231.201

Site Name: Aviinstrument.com
IP Address: 85.255.120.106

Scam Internet Security Page:
Site Name: Dobrowsesecure.com
IP Address: 85.255.116.214

404Errorpage Scam:
Site Name: Errorallhere.com
IP Address: 85.255.118.244

Security Guide Scam Page:
Site Name: Truesafetyrules.com
IP Address: 85.255.118.213

Reference pages:
www.truesafetyrules(dot)com/soft/?c=05333
www.truesafetyrules(dot)com/test/?c=05434

Ad-Server-Gate Pages:
Site Name: Gatezx.com
IP Address: 85.255.118.37

Site Name: Gateiu.com
IP Address: 85.255.118.37

The Ad-Server-Gate pages redirects to fake Security center site Securitycenteralerts.com which promotes Rogue security applications.

Site Name: Securitycenteralerts.com
IP Address: 85.255.118.38

Also the following site is used in Zlob tool bar to redirect users to malicious domains.

Site Name: Toolbargate.com
IP Address: 85.255.118.35

The Zlob trojan is now pushing Antispycheck, Pest-Patrol and other well documented rogue security applications.

DNS Changer Trojan Distributing sites:

Site Name: Vivaticket.net
IP Address: 64.28.184.175

Site Name: Wotticket.net
IP Address: 64.28.184.176

A list of new scam sites used by old Rogues:

WinSpywareProtect uses the following new sites:

Site Name: Winspywarescanner.com
IP Address: 71.6.202.216

Site Name: Winspywareprotects.com
Site Name: Wspsale.com
IP Address: 85.255.119.26

Reference links:
scan(dot)winspywarescanner.com/227/503
scan(dot)winspywareprotects.com/227/501

MalWarrior uses the following new sites:

Site Name: Malwarrior2008.com
Site Name: Wspdl.com
IP Address: 85.255.119.26

Stay away from all these sites.

Bharath MN

Monday, June 9, 2008

Ultimate Antivirus 2008

Ultimate Antivirus 2008

Ultimate Antivirus 2008 is a yet another rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Uav2008.com
IP address: 77.91.229.98

Screenshot of Ultimate Antivirus 2008 site


Stay away from this site.

Bharath M N

Thursday, June 5, 2008

MalwareProtector2008

MalwareProtector2008

MalwareProtector2008 is a new rogue security application from WinIFixer family of Rogue security applications. As usual this rogue is pushed by Fake codecs.

Site Name: MalwareProtector2008.com
IP address: 216.240.139.169

Screenshot of Fake/Scare Scan used by MalwareProtector2008




Stay away from this site.

Bharath M N

Tuesday, June 3, 2008

Vista Antivirus 2008

Vista Antivirus 2008

Vista Antivirus 2008 is a yet another rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Vav2008.com
IP address: 77.91.229.98

Screenshot of Vista Antivirus 2008 site


Screenshot of Vista Antivirus 2008 application


Stay away from this site.

Bharath M N

System Antivirus 2008

System Antivirus 2008

System Antivirus 2008 is a new rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Sav2008.com
IP address: 77.91.225.234


Screenshot of System Antivirus 2008 site



Screenshot of System Antivirus 2008 application


Following are the list of sites that distributes Rogue security application and shares the same IP 77.91.225.234.

Dr-protection-adv.com
Dr-protection.com
Guard-center-adv.com
Guard-center.com
Killspy-adv.com
Killspy.org
Liveantispy-adv.com
Liveantispy.com
Liveprotection-adv.net
Liveprotection.net
Online-guard-adv.net
Online-guard.net
Stopingspy-adv.com
Stopingspy.com
Winantiviruspro.net


Stay away from all these sites.

Bharath M N

Monday, June 2, 2008

Malicious Domains

Malicious Domains


DNS Changer Trojan Distributing sites

Site Name: Cleanticket.net
IP Address: 64.28.184.174

Trojan-Downloader Distributing sites

Site Name: Sexysoftwaredom.com
Site Name: Csoftddl.com
IP Address: 78.129.208.105

Stay away from these malicious sites.

Bharath M N