Malware Research Experts

please follow me on: http://malware-research-experts.blogspot.com

Social Engineering Tactics Promote “Miracle” Berries

I received an unlikely Yahoo! IM from a long time friend with whom I have not been in contact with for quite a long time.

Af first I thought, wow this would be a good time to catch up.

She buzzed me and asked me if I was busy, then gave me a URL to try out very quickly and tell her what the results tell me.

Well, here’s the screenshot:

The link was: hxxp://freakyloverresults.com

At this time I was already suspicious about the whole thing. So I tried out the link in a controlled environment. There were a series of redirections and my browser was redirected to:

hxxp://www.acaipowermax.com

It seems that whoever I was talking to was not my friend (possibly a bot). She might have been a victim of a phishing scam, and her Yahoo! IM account was being used as part of this social engineering tactic in order execute the Acai Berry spam which has been bugging people for ages.

This one was a bit harmless as the whole exercise was just another form of spam. But as always, I would like to remind everyone to be careful of clicking links, even if they come from people you know.

Spyware Doctor with AntiVirus 2010 gets 4.5 out of 5 stars from How-to Geek

PC Tools’ award winning Spyware Doctor with AntiVirus 2010 has done it again, earning a rating of 4.5 out of 5 stars as reviewed by How-to Geek.

Spyware Doctor with Antivirus is a top-rated malware, spyware & virus removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, viruses, keyloggers, spybots and tracking threats. Spyware Doctor’s advanced Intelliguard technology only alerts users on a true spyware and virus detection. Spyware Doctor with Antivirus has the most advanced update feature that continually improves its spyware and virus fighting capabilities on a daily basis. As spyware gets more complex in order to avoid detection, Spyware Doctor responds with new technology to stay one step ahead.

More details here.

MaCatte scareware fools users by masquerading as McAfee

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.MaCatte

This scareware has been seen to be using a bogus My Computer online scan similar to ones we’ve seen here, here and here.

The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.

Spyware Doctor with AntiVirus 2010 wins PC Mag Editor’s Choice

This just in: on 15th October 2009, Spyware Doctor with AntiVirus 2010 wins PC Mag Editor’s Choice award!

The latest Spyware Doctor proved effective in every area of malware removal and blocking. It’s a great product.

The award-winning Spyware Doctor with AntiVirus 2010 can be downloaded here.

Another Shameless SEO based on Atlanta Flooding

Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here’s a screenshot of a google search result:

A Fiddler capture shows us the redirections:

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.

At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as “The Best Nude Celebrity Movie Site”
hxxp://alyssafan.net/1.html

But in order to watch the any video, we would need to download and install their “Certified ActiveX video codec (VAC codec) use to protect content Copyrights”

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.

This script translates to:

This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:

Beware of fake video codecs!