Scareware uses Fake Windows 7 Action Center

Privacy Center, Privacy Components and Safety Center are some of the aliases used by this family of scareware that hide under the guise of a fake Windows 7 Action Center.

The scareware installer uses the filename win_protection_update.exe and once installed, this scareware displays fake scan results in an attempt to convince unsuspecting users into buying the fake software.

A lifetime license for this fake app amounts to a hefty $79.95 plus $19.95 for “Premium Support”.

Here are some domains related to distributing this attack:

software-scaner-online.com
scaner-online-malware.biz

PC Tools Spyware Doctor with Antivirus detects this scareware as RogueAntiSpyware.PrivacyCenter.AJ.

Another Shameless SEO based on Atlanta Flooding

Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here’s a screenshot of a google search result:

A Fiddler capture shows us the redirections:

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.

At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as “The Best Nude Celebrity Movie Site”
hxxp://alyssafan.net/1.html

But in order to watch the any video, we would need to download and install their “Certified ActiveX video codec (VAC codec) use to protect content Copyrights”

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.

This script translates to:

This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:

Beware of fake video codecs!

Scareware asking for ransome: RogueAntiSpyware.System Security

Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here’s one that does a bit more than just scaring.

RogueAntiSpyware.System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.

Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:

avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe

But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.

Here’s part of some disassembly taken from a sample of RogueAntiSpyware.System Security, showing us evidence of whitelisting:

Rogue app takes a snapshot of all the processes in the system:

.rsrc:140B4B4F push edi
.rsrc:140B4B50 push 2
.rsrc:140B4B52 call CreateToolhelp32Snapshot
.rsrc:140B4B57 mov [ebp+hObject], eax
...
.rsrc:140B4B79 push ecx
.rsrc:140B4B7A push eax
.rsrc:140B4B7B mov [ebp+var_64C], 22Ch
.rsrc:140B4B85 call Process32FirstW
...
.rsrc:140B4BAB push [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1 push 0 ; bInheritHandle
.rsrc:140B4BB3 push 1FFFFFh ; dwDesiredAccess
.rsrc:140B4BB8 call ds:OpenProcess

It then terminates the processes not found in the white list:
.rsrc:140B4C00 push 0FFFFFFFFh ; uExitCode
.rsrc:140B4C02 push edi ; hProcess
.rsrc:140B4C03 call ebx ; TerminateProcess

and displays this message as a notification in the system tray:
.rsrc:14039998 aApplicationCan: ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998 unicode 0,
.rsrc:14039998 unicode 0,
.rsrc:14039998 dw 0Ah
.rsrc:14039998 unicode 0, ,0
.rsrc:14039A5E align 10h
.rsrc:14039A60 aWarning: ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60 ; sub_140B4ADD+1DB ...
.rsrc:14039A60 unicode 0, ,0
.rsrc:14039A72 align 4

It then resumes processing the snapshot created earlier and the cycle continues:
.rsrc:140B4CDF lea eax, [ebp+var_64C]
.rsrc:140B4CE5 push eax
.rsrc:140B4CE6 push [ebp+hObject]
.rsrc:140B4CEC call Process32NextW

Here’s the list of applications that the scareware allows:
.rsrc:14046A48 off_14046A48 dd offset aAlg_exe ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48 ; "alg.exe"
.rsrc:14046A4C dd offset aCsrss_exe ; "csrss.exe"
.rsrc:14046A50 dd offset aCtfmon_exe ; "ctfmon.exe"
.rsrc:14046A54 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C dd offset aSlsvc_exe ; "slsvc.exe"
.rsrc:14046A60 dd offset aSmss_exe ; "smss.exe"
.rsrc:14046A64 dd offset aSpoolsv_exe ; "spoolsv.exe"
.rsrc:14046A68 dd offset aSvchost_exe ; "svchost.exe"
.rsrc:14046A6C dd offset aSystem ; "system"
.rsrc:14046A70 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74 dd offset aLsass_exe ; "lsass.exe"
.rsrc:14046A78 dd offset aLsm_exe ; "lsm.exe"
.rsrc:14046A7C dd offset aNvsvc_exe ; "nvsvc.exe"
.rsrc:14046A80 dd offset aWininit_exe ; "wininit.exe"
.rsrc:14046A84 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88 dd offset aWscntfy_exe ; "wscntfy.exe"
.rsrc:14046A8C dd offset aWuauclt_exe ; "wuauclt.exe"

As we can see, RogueAntiSpyware.System Security is more than just scareware. You won’t be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.

But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We’ve already taken one step into regaining full use of our infected computer.

We have previously discussed RogueAntiSpyware.System Security being linked to Net-Worm.Koobface and a fake Facebook website at an earlier post.

PC Tools Spyware Doctor with Antivirus detects and removes RogueAntiSpyware.System Security.

Rogue AV Clone: Windows Protection Suite

Another scareware has been spotted and it calls itself Windows Protection Suite.

You can get Windows Protection Suite from one of these urls:

hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D


It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user’s computer, detects heaps of infections, and offers a bogus solution.

Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.

Even their websites are clones:

hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com

Social engineering trick leads to Rogue AV: MacroVirus

I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:

It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c

Following the link, tinyurl does its magic and we are directed to:

hxxp://macrovirus(dot)com/?hop=starbasi

If we believe everything we see and hear, we’ll be downloading and installing a scareware:

Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.

Also, you might notice, there’s a striking resemblance between the following:

bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi

This is probably giving us a hint as to how the bad guys get paid.

If you got this scareware, remove it immediately.

Rogue AV: RogueAntiSpyware.Winifighter

We’ve talked about digital clutter on a previous post.

But this one’s a real bugger. Winifighter creates heaps of junk binary files in the %systemroot% and %system% directories. The filenames, the contents, and filesize are all random. The names, however, contains bits and pieces taken from malware names such as the following:

backdoor
not a virus
spy
trojan
virus
worm

This one also, spoofs the Windows Security Center to give itself that authentic feel and advises unsuspecting users to register Winifighter.

Ad of course we also have those ever so genuinely adorable warning messages:

As always, I advise everyone to steer clear of these Rogue AVs.

Rogue AV: Antivirus Plus

Here’s another Rogue AV out there, and it’s being served by more than one domain:

Here’s a list of some of the domains used to host this Rogue AV:

addedantiviruslive(dot)com
addedantivirusonline(dot)com
addedantivirusstore(dot)com
easyaddedantivirus(dot)com
freeantivirusplus09(dot)com
goodantivirusplus(dot)com
i-antivirusplus(dot)com
internetantivirusplus(dot)com
mybestantivirusplus(dot)com
myplusantiviruspro(dot)com
nextantivirusplus(dot)com
realantivirusplus09(dot)com
realbestantivirusplus(dot)com
yesantivirusplus(dot)com

Stay away from these rogue domains and block them if you have any means of doing so.

Rogue App: System Cleaner

I visited this rogue domain:

hxxp://antivirussecurescannerv3.com

The website proceeded to show me that it is scanning my machine for system errors and that it is doing a very wonderful job because it found heaps of problems on my machine and it is very eager to fix it.

To give the website some kind of authentic feel, it also showed me which browser I am using, my operating system, and my IP address.

It was also offering 60% discount on the product. Isn’t that a good deal?

Now, if the dubious scanning and the overall feel of the website did not give away its real intentions, and if we are to be lulled into buying their software, well… hold on a minute!

If you notice that on my screenshot, the rogue website was giving some errors about the Windows TEMP folder, Internet Explorer temp files. But how can that be? As I mentioned on a previous post, I am not running Windows!

As usual, unsuspecting users get ripped off for a crappy software. So be careful!

Rogue AV: Antivirus Plus

Here’s another Rogue AV using the same animated system scan on the internet browser as the one in a previous post

In some instances, Antivirus Plus uses this animated scan instead:

It also uses one of those warnings that look oh so genuinely sincere:

Then of course downloading and installing the rogue app give us the usual scan results:

Here’s a list of domains currently serving this rogue app:


hxxp://adoimi.cn
hxxp://yourguardpro.cn
hxxp://yourcheckpoisonpro.cn
hxxp://yourfriskviruspro.cn
hxxp://antivirusplus09.com
hxxp://antivirusplus-ok.com
hxxp://addedantiviruspro.com


Because of the same animated system scan that they use, I reckon System Security and Antivirus Plus are two related rogue apps.