Blog entry here
Posts Tagged ‘fake video codec’
Porntube Anyone? Bonus Scareware!
Posted by Steve Espino on February 23, 2010
Posted in Malicious Intent, Rogue Apps | Tagged: fake av, fake codec, fake video codec, PORNTUBE2000, rogue, rogue av, scareware, SECURITY TOOL, VIDEO ACTIVEX OBJECT, VIDEO ACTIVEX OBJECT ERROR | Leave a Comment »
Koobface on the Move, Serving Scareware
Posted by Steve Espino on September 18, 2009
The PC Tools Malware Research Centre has been seeing new movement on the koobface front Lately.
As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.
The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.
Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:
115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229
The javascript component being by used by koobface, remains bascically the same as before
And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:
gotrioscan(dot)com
plazec(dot)info
At some instances, we also get these warnings:
At the moment, these warnings are serving Internet Antivirus Pro.
In order to be protected against these attacks, users of PC Tools Spyware Doctor are advised to use the latest PC Tools update.
An earlier post about koobface can be found here.
Update:
Koobface has been going at it and here’s another one that spoofs youtube and serves koobface malware as a fake codec:
hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go
Posted in Malicious Intent, Rogue Apps | Tagged: 61.235.117.83, 71.197.170.226, C&C, fake codec, fake video codec, Internet Antivirus Pro, koobface, KROTEG, Malware Research Centre, My Computer online scan, Net-Worm.Koobface, PC Tools, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.InternetAntiVirus, scareware, security, setup.exe | 4 Comments »
Porn site distributes scareware
Posted by Steve Espino on August 27, 2009
Another website has recently been spotted to be serving up malware in the guise of fake video codecs.
This one praises itself as “The Best Nude Celebrity Movie Site”
hxxp://alyssafan.net/1.html
But in order to watch the any video, we would need to download and install their “Certified ActiveX video codec (VAC codec) use to protect content Copyrights”
The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe
One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.
This script translates to:
This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe
Which then gives us scareware Safety Center:
Beware of fake video codecs!
Posted in Uncategorized | Tagged: alyssafan.net, fake alert, fake app, fake av, fake codec, fake video codec, Mediacodec, porn, rogue app, rogue av, Safety Center, scareware, security, The Best Nude Celebrity Movie Site, ue4x08f5myqdl.cn, video | 2 Comments »
