Thursday, July 31, 2008

Power Antivirus 2009

Power Antivirus 2009

Power Antivirus 2009 is new rogue security application. The application is a near clone of Win Antivir 2008/ Win Antivirus 2008 rogue security application.

Heads up to Jason for the information.

Site Name: Power-antivirus-2009.com
IP Address: 91.208.0.233

Secrrenshot of Power Antivirus 2009 site

Screenshot of Scare/Fake scanner page used by Power Antivirus 2009

Screenshot of Power Antivirus 2009 application


Stay away from all this site.

Bharath M N

Wednesday, July 30, 2008

A list of Malicious sites

A list of Malicious sites

Zlob Trojan Distributing site:

Site Name: Releasedvideo.com
IP Address: 77.91.231.201

Site Name: Videoexternal.com
IP Address: 85.255.120.110

Zlob Component sites:
Site Name: Ihatemondayand.com
IP Address: 85.255.117.204

www.Ihatemondayand. com/get.php?partner= -> downloads Antispycheck Rogue security application


WinSpywareProtect rogue distributing sites:

Scare/Fake scanner page:
Site Name: Scan.Wsp2008scanner.com
IP Address: 85.255.119.146

The installer is downloaded from the following site:
Site Name: Dwl.getwsp.com
IP Address: 85.255.118.66

SpyShedder rogue distributing site
Site Name: Shredder-scan.com
IP Address: 91.208.0.243

WinXDefender rogue distributing site
Site Name: Win-x-defenders.com
IP Address: 91.208.0.243

The site Win-x-defender.com also shares the same IP Address.


Win Antivir 2008

Win Antivir 2008 is the latest rogue security application from SpywareNo/SpySheriff family. Its a near clone of WinXSecurityCenter rogue security application.

Site Name: Win-antivir-2008.com
IP Address: 91.208.0.234

Screenshot of Win Antivir 2008 site

Screenshot of Scare/Fake scanner page used by Win Antivir 2008

Screenshot of Win Antivir 2008 application


Win Antivirus 2008

Win Antivirus 2008 is a near clone of Win Antivir 2008 rogue security application.

Site Name: Win-antivirus-2008.com
IP Address: 91.208.0.253

Screenshot of Win Antivirus 2008 application

WinDefender 2008

WinDefender 2008 is a rogue security application.

Site Name: Win-defender.com
IP Address: 207.226.179.162

Screenshot of Scare/Fake scanner page used by WinDefender 2008

Screenshot of WinDefender 2008 application


Following are the sites involved in this scam

Site Name: Trafficrotator.net
IP Address: 207.226.179.165

Reference: Trafficrotator. net/MTAwNg== which further redirects to one of the following Scare/Fake scanner sites

Site Name: Internetscannerlive.com
Site Name: Netscannerlive.com
Site Name: Webscanneronline.com
IP Address: 207.226.179.163

The following sites are also involved in distributing WinDefender 2008 rogue security application

Site Name: Dns-problem.com
IP Address: 207.226.179.147

Dns-problem. com site is a fake DNS error page which redirects to WinDefender 2008 registration page. Heads up to Malekal for posting it

Site Name:Registerwindefender.com
IP Address: 207.226.179.148

Stay away from all these sites.

Bharath M N

Sunday, July 27, 2008

TheSpyBot Promo site

TheSpyBot Promo site

The site mentioned below is a promo site advertising TheSpyBot Rogue security application from SpywareNo/SpySheriff family.

Site Name: TheSpyBotpromo.com
IP Address: 207.176.7.6
Registrar: ESTDOMAINS, INC.

Screenshot of Fake/Scare scan pages used by TheSpyBot application




You may have noticed "TheSpyBot ActiveScan with TruPrevent" in one of the scare/fake scanner pages screenshot, The scammers are exploiting the name TruPrevent which is developed by Panda Security. You may also notice that SpyWatchE and TheSpyBot names mentioned in the same scanner page.

ScreenShot of TheSpyBot Application


Stay away from this site.

Bharath M N

Wednesday, July 23, 2008

Malware distributing sites

Malware distributing sites


Trojan-Downloader Distributing sites

Site Name: Iwillseethatvideo.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: BHO.ext2 - {401F4B6B-3C36-4E8D-BC07-F46FC6D67D9A} - C:\WINDOWS\system32\ieflt.dll

Site Name: Comeforvidsoft.com
IP Address: 91.203.92.53

The Trojan installs the following Malicious BHO

O2 - BHO: search toolbar - {7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6} - C:\WINDOWS\system32\tbsrch.dll

These sites belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application.

MediaTubeCodec Trojan Distributing site:

Site Name: Best-soft-maxi.com
Site Name: Best-freeware2008.com
Site Name: Soft2008freeware.com
IP Address: 91.203.70.18

Stay away from these sites.

Bharath M N

Zlob sites update

Zlob sites update

Zlob Trojan Distributing site:
Site Name: Formatmpeg.com
IP Address: 77.91.231.183

Site Name: Mpegstandard.com
IP Address: 85.255.120.108

Scam Internet Security Page:
Site Name: Otherhomepage.com
IP Address: 85.255.116.212

404Errorpage Scam:
Site Name: Adnsline.com
IP Address: 85.255.118.242

Security Guide Scam Page:
Site Name: Secureshortcuts.com
IP Address: 85.255.118.37

Which uses the following Scare/Fake scanner pages to promote rogue security application

Windows-virus-scanner.com -> A fake scanner promoting Antivirus 2009 rogue security application
Online-xpcleaner.com ->A fake scanner promoting XP cleaner a bogus/rogue cleaner software

Ad-Server-Gate Pages:
Site Name: Asgates.com
IP Address: 85.255.118.214

Site Name: Qwgates.com
IP Address: 85.255.118.212

The Ad-Server-Gate pages redirects to fake Security center site Allsecurenews.com which promotes Rogue security applications.

Site Name: Allsecurenews.com
IP Address: 85.255.118.213

Other component sites

Site Name: Browseroption.com
IP Address: 216.255.179.244

http://www.Browseroption(dot)com/redirect.php -> redirects to scan.wspscanner.com, which is a fake/scare scan page used to push WinSpywareProtect rogue security application.

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Antivirus Master

Antivirus Master

Antivirus Master is new rogue security application. The application is a clone of Vista Antivirus 2008 rogue security application.

Site Name: Anvimaster.com
IP address: 91.208.0.240

Screenshot of Antivirus Master website

The scammers even forgot to replace the Vista Antivirus 2008 logo

Site Name: Anvi-scanner.com
IP address: 91.208.0.252

Screenshot of Scare/fake scanner pages used by Antivirus Master

Screenshot of the Antivirus Master appplication

The scammers had used the same Scare/fake pages for promoting Vista Antivirus 2008

Here is the list of such sites:

Site Name: Vav-scan.com
Site Name: Vav-scanner.com
Site Name: Vavscan.com
Site Name: Vav-xscanner.com
Site Name: Vav-x-scanner.com

Vitae Antivirus 2008 is also clone of the above said rogue

Site Name: Vit-scanner.com
Site Name: Vit-xscanner.com
Site Name: Vit-x-scanner.com

Screenshot of Scare/fake scanner pages used by Vitae Antivirus 2008

Screenshot of the Vitae Antivirus 2008 appplication


Stay away from all these sites.

Bharath M N

Thursday, July 17, 2008

Malware distributing sites

Malware distributing sites

Zlob Trojan Distributing site:

Site Name: Movieexternal.com
IP Address: 77.91.231.201

Site Name: Licensingvideo.com
IP Address: 85.255.120.107

DNS Changer Trojan Distributing site:

Site Name: Uinticket.com
IP Address: 64.28.184.181

Site Name: Uinticket.net
IP Address: 64.28.184.182

Trojan-Downloader Distributing sites

Site Name: Veryhodownload.com
IP Address: 58.65.238.34

The Trojan installs the following Malicious BHO

O2 - BHO: BHO.Filter - {4AD3A71E-8ED4-40F5-9A81-69245BDCBB75} - C:\WINDOWS\system32\inte_f.dll

These sites belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application. Currently the trojan is distributing IE-Antivirus 3.3

Following are the new sites that the rogue security application is using for its dirty work:

Site Name: Ie-antivirus-order.com
IP Address: 89.149.208.179

Site Name: Getieantivirus.com
IP Address: 58.65.238.34
Ref: Getieantivirus. com/ie-av.exe

MediaTubeCodec Trojan Distributing site:

Site Name: Maxibestsoft.com
IP Address: 91.203.70.18

Stay away from all these sites.

Bharath M N

WinSpywareProtect

WinSpywareProtect

Currently WinSpywareProtect is the most aggressively advertised rogue security application. The rogue is Zlobvertised, Spamvertised, Malvertised you just name it and definitely you can see an example of it.


Lately Edgar posted a screenshot of the Scare/Fake scanner page used by WinSpywareProtect.


The scammer are mimicking Google's Malware warning page to advertise WinSpywareProtect.

Reference links:
Site Name: Winspywareprotectscan.com
Ref: Scan .winspywareprotectscan .com/267/507/?q=

Download links:
Site name: Dwl.Wspdownload.com
Ref: Dwl. wspdownload. com/load/setup_267_507_.exe


Be aware of this scam and stay away from these sites.

Bharath M N

Saturday, July 12, 2008

Zlob sites update

Zlob sites update

Scam Internet Security Page:
Site Name: Safepageplace.com
IP Address: 85.255.116.210

404Errorpage Scam:
Site Name: Serverserror.com
IP Address: 85.255.118.246

Security Guide Scam Page:
Site Name: Websecurelinks.com
IP Address: 85.255.118.210

Reference pages:
www.Websecurelinks(dot)com/soft/?c=05333
www.Websecurelinks(dot)com/test/?c=05434

This links redirects user to different Scare/fake scanner pages, The new scare scan site in the list is:

Scare/Fake scanner page:
Site Name: Winspywareprotectscan.com

Ad-Server-Gate Pages:
Site Name: Gatelp.com
IP Address: 85.255.118.212

Site Name: Gatecd.com
IP Address: 85.255.118.213

Reference links:
Gatelp(dot)com/gatevc.php?pn=srch0p1total7s2&c=441041
Gatecd(dot)com/gatevc.php?id=dw01


The Ad-Server-Gate pages redirects to fake Security center site Securewarn.com which promotes Rogue security applications.

Site Name: Securewarn.com
IP Address: 85.255.118.35
Reference links:
Securewarn(dot)com/v6/01-sad42k/

Other component sites:

Site Name: Ietoolsite.com
IP Address: 216.255.179.244

Ietoolsite(dot)com/redirect.php-> redirects to scan.wspscanner.com, which is a fake/scare scan page used to push WinSpywareProtect rogue security application.

The following site is used in Zlob toolbar to redirect users to malicious domains distributing rogue security aplications.

Site Name: Caretoolbar.com
IP Address: 85.255.118.38

All the above mentioned sites advertise/push well documented Rogue security applications. Stay away from these sites.

Bharath M N

Wednesday, July 9, 2008

Update on Trojan-Downloader-CodecPack Distributing sites

Update on Trojan-Downloader-CodecPack Distributing sites

A while ago I wrote about Trojan-Downloader-CodecPack Distributing site, now here is some facts about this Trojan and the sites involved in this campaign.

The following porn site lures user to download and install missing missing "Video ActiveX object" to view porn online.

Site Name: Just-tube.com
IP Address: 74.50.117.84

The Trojan is then downloaded from the following site:

Site Name: Codecupgrade.com
IP Address: 74.50.117.84

The following Crack site sharing the same IP also delivers similar Trojan:

Site Name: Best-cracks.com
IP Address: 74.50.117.84

The following sites also share the same IP:

Updatehost.com ->Malware call home

Once the Trojan is installed it displays the following balloon message:

When you click on the balloon message the Trojan then makes use of the following site to advertise rogue security application

Site Name: Stopbadware2008.com
IP Address: 74.50.117.84

Screenshot of the Stopbadware2008.com home page


Following are some of the links that is used in this campaign:
Stopbadware2008(dot)com/0/baloon.php
Stopbadware2008(dot)om/0/c1.php
Stopbadware2008(dot)com/0/c2.php

The Trojan either redirects users to either "Antivirus 2008" or "WinSpywareProtect" or "Antivirus 2009" scare/fake scanner pages

Antivirus 2008 rogue distributing sites:

Antivirus-scanner.com
Antivirus-scanonline.com
Infectionscanner.com
Topvirusscan.com
Topantivirus-scan.com
Virus-scanonline.com
Virusbestscan.com
Virusbestscanner.com

WinSpywareProtect rogue distributing sites:

Wspscanner.com
Winspywareprotectdl.com
Winantivirus2008.org
Surf-scanner.com
Scanner-tool.com

Antivirus 2009 rogue distributing sites:

Antivirus2009-freescan.com
Virus-webscanner.com
Virus9-webscanner.com
Windows-scanner.com

All these sites should go to your block list, stay away from all these sites.

Bharath M N

Trojan distributing sites

Trojan distributing sites

Zlob Trojan Distributing site:

Site Name: Flwtool.com
IP Address: 77.91.231.183

Site Name: Flwapplication.com
IP Address: 85.255.120.107

DNS Changer Trojan Distributing site:

Site Name: Gigaticket.net
IP Address: 64.28.184.180

Trojan-Downloader Distributing sites

Site Name: Tmptmpservvv.com
IP Address: 58.65.238.34

The trojan installs the following Malicious BHO

O2 - BHO: EpsonToolBandKicker Class - {87FD33C2-7891-45D5-ACD1-7935F9AEA26B} - C:\WINDOWS\system32\epsondrv.dll

Site Name: Opaadownload.com
IP Address: 193.164.132.208

The trojan installs the following Malicious BHO

O2 - BHO: IESiteBlocker.NavFilter - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\WINDOWS\system32\nvfilter.dll

Site Name: Getvcodenow.com
IP Address: 193.164.132.208

The trojan installs the following Malicious BHO

O2 - BHO: IE.Filter - {8B2AE9C0-1555-4C92-905A-531532F15698} - C:\WINDOWS\system32\iefltr.dll

These sites belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application. For more information on malicious BHO's visit CastleCops

MediaTubeCodec Trojan Distributing site:

Site Name: Bestsoftware.cc
Site Name: Best-soft08.com
IP Address: 91.203.70.18

Trojan-Downloader-CodecPack Distributing site:

Site Name: Codecupgrade.com
IP Address: 74.50.117.84

All these sites are actively distributing Trojans, Stay away from all these sites.

Bharath M N

Sunday, July 6, 2008

List of new Rogue security applications

List of new Rogue security applications

Last week was a busy week for the scammers, There was lot of malicious sites discovered which were involved in distributing new rogue security applications. After a numerous flavors of rogue Antivirus applications it's now the turn of rogue Antispyware trying to loot money from the users.

WinAntiSpyware 2008

WinAntiSpyware 2008 is a rogue Antispyware application which is a near clone of Winreanimator rogue Antispyware application. Malwarebytes has reported this rogue here. This group calls themselves as "WinTechProtection LTD"

Site Name: WinAntiSpyware2008.com
IP Address: 206.161.126.40

Screnshot of WinAntiSpyware 2008 appplication

Additionally the following malicious sites also shares the same IP Address [206.161.126.40]

Site Name: Antispywarexp2008.com
Site Name: Winantimalware.com
Site Name: Winreanimator.com
Site Name: Xpantispyware.com
Site Name: Xpcleaner2008.com
Site Name: Xpdefender2008.com
Site Name: Xpguard2008.com
Site Name: Xpsecuritycenter.com

Antispyware 2008

Antispyware 2008 is a rogue Antispyware application. Its The rogue application has already been reported by Flash and Edgar a couple of day earlier.

Screnshot of Antispyware 2008 appplication

The following is the list of sites used by the rogue to do its dirty task:

Site Name: Antispyware2008.org
Site Name: Antispyware2008a.com
Site Name: Anti-spy-ware-2008.com
Site Name: Antispyware2008y.com
Site Name: Antispyware2008.name
Site Name: Antispyware-2008-download.com
Site Name: Antispyware-2008-download.info
Site Name: Antispyware-2008-download.net
Site Name: Antispyware-2008-download.org
Site Name: Antispyware-2008-download.name
Site Name: Antispyware-2008.info
Site Name: Antispyware-2008.org
Site Name: Antispyware-2008.name
Site Name: Antispyware2008-download.com
Site Name: Antispyware2008-download.info
Site Name: Antispyware2008-download.net
Site Name: Antispyware2008-download.org
Site Name: Antispyware2008-download.name


PC Antispy and PC Clean Pro


PC Antispy is a rogue Antispyware application. Its a clone of PC-Antispyware rogue Antispyware application. Malwarebytes has reported this rogue here

Site Name: Pc-antispy.com
IP Address: 74.52.32.66

Screenshot of PC Antispy application

PC Clean Pro is a rogue security application and is a near clone of Pc-Cleaner. Malwarebytes has reported this rogue here

Site Name: Pc-cleanpro.com
IP Address: 74.52.32.67

Screenshot of PC Clean Pro applciation


Detection of these rogues are a bit poor, Stay away from all these sites.

Bharath M N

Saturday, July 5, 2008

Wista Antivirus

Wista Antivirus

Wista Antivirus is the latest rogue security application seen in the wild.

Site Name: Wista-Antivirus.com
IP Address: 85.255.118.107

Screenshot of Wista Antivirus web site

Site Name: WistaScanner.com
IP Address: 85.255.118.109

Screenshot of scare/fake scan page used by Wista Antivirus

Screenshot of Wista Antivirus application


Detection of this rogue is poor, stay away from this rogue security application.

Bharath M N

Friday, July 4, 2008

Malicious sites

Malicious sites

Trojan distributing sites:

Zlob Trojan Distributing site:
Site Name: Aviutility.com
IP Address: 85.255.117.245

DNS Changer Trojan Distributing site:
Site Name: Megazticket.net
IP Address: 64.28.184.179

Trojan-Downloader Distributing sites
Site Name: Getvideoc.com
IP Address: 77.92.88.22

The trojan installs the following Malicious BHO

O2 - BHO: AVG Safe Search - {1C1B8A44-61FE-411E-8F33-813A4E2E2984} - C:\WINDOWS\system32\avgsafe.dll


The BHO nags user into downloading IE-Antivirus which is a well documented rogue security application. The Trojan uses random name for the dll file, usually in the format a%safe.dll

MediaTubeCodec Trojan Distributing site:
Site Name: Bestsoft-ware08.com
IP Address: 91.203.70.18

The Trojan further changes the Background with the following fake warning message and also silently installs "Antivirus2008PRO" rogue security application.

Reference links:
77.91.227.179/bingo/Antivirus2008PRO.exe


Rogue/Fake scanner pages:

Totalantivirus

Totalantivirus is yet another clone of the current rogue Antivirus series.

Site Name: Totalantivirusonline.com
IP Address: 72.233.81.107

Screenshot of Totalantivirus application

Some new sites assosiated with this rogue series:
Site Name: XP-Registration.com
IP Address: 209.67.214.194

Site Name: XPonlinescanner9.com
reference links:
xponlinescanner9(dot)com/2009/3/_freescan.php?aid=77011813

Stay away from all these sites.

Bharath M N