Posts Tagged ‘rogue app’
Posted by Steve Espino on December 8, 2009
Privacy Center, Privacy Components and Safety Center are some of the aliases used by this family of scareware that hide under the guise of a fake Windows 7 Action Center.
The scareware installer uses the filename win_protection_update.exe and once installed, this scareware displays fake scan results in an attempt to convince unsuspecting users into buying the fake software.
A lifetime license for this fake app amounts to a hefty $79.95 plus $19.95 for “Premium Support”.
Here are some domains related to distributing this attack:
software-scaner-online.com
scaner-online-malware.biz
PC Tools Spyware Doctor with Antivirus detects this scareware as RogueAntiSpyware.PrivacyCenter.AJ.
Posted in Rogue Apps | Tagged: fake, fake alert, fake app, fake av, Fake Windows 7 Action Center, fakealert, PC Tools, Privacy Center, Privacy Components, PrivacyCenter, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.PrivacyCenter.AJ, Safety Center, scaner-online-malware.biz, scareware, SDAV, software-scaner-online.com, Spyware Doctor, Spyware Doctor with AntiVirus, Windows 7 | Leave a Comment »
Posted by Steve Espino on November 3, 2009
MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.MaCatte
This scareware has been seen to be using a bogus My Computer online scan similar to ones we’ve seen here, here and here.
The online scan can be seen on this url:
hxxp://proscan5.info/25/26-088wLzQzL1EzL==
The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.
Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk
Unsuspecting users are set back from their hard-earned money by a hefty $99.
Stay away from these rogue apps.
Posted in Uncategorized | Tagged: fake app, fake av, MaCatte, MaCatte Antivirus, macatte.com, McAfee, PC Tools, proscan5.info, rogue app, rogue av, RogueAntiSpyware.MaCatte, scareware, security, Spyware Doctor, Spyware Doctor with AntiVirus | 2 Comments »
Posted by Steve Espino on October 15, 2009
Here are some screenshots of the members of this scareware family:
![[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362](http://r3v3rs3e.files.wordpress.com/2009/10/gickr-com_6c803672-8a5f-25e4-5109-31b55ebdf362.gif "[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362")
Beware of these rouge apps.
Posted in Rogue Apps | Tagged: rogue app, rogue av, security, Sysguard, TrustCop, TrustNinja, Winifighter, WiniShield | Leave a Comment »
Posted by Steve Espino on October 13, 2009
Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.
Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.
Sample junk files are the following:
%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl
Here are some domains participating in this campain:
securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com
Unsuspecting users get set back by $49.95 from their hard-earned money.
PC Tools Spyware Doctor protects your computers from the scum of the universe (the digital universe) and aptly detects TrustFighter as RogueAntiSpyware.Winifighter.
Posted in Rogue Apps | Tagged: bestmalwaredetect.com, Malware Research Centre, MRC, pcprotectzone.com, rogue app, rogue av, RogueAntiSpyware.Winifighter, scareware, security, securityadjust.com, securityannounce.com, theatypxdd.net, TrustFighter, trustfighter.com, Winifighter | Leave a Comment »
Posted by Steve Espino on September 22, 2009
Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.
Here’s a screenshot of a google search result:
A Fiddler capture shows us the redirections:
So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN
An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.
At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com
These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60
But knowing the trend in scareware, there could be heaps more domains being created as we speak.
PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.
Posted in Uncategorized | Tagged: 06d.ru, 15scanner.com, 213.163.89.60, 89.248.174.61, 89.47.237.55, Atlanta flood pictures, fake alert, fake av, idrb.com, PC Tools, read-cnn2.com, rogue, rogue app, rogue av, RogueAntiSpyware.TotalSecurity, scareware, SEO, Spyware Doctor, Total Security, winfixscanner7.com | Leave a Comment »
Posted by Steve Espino on September 18, 2009
The PC Tools Malware Research Centre has been seeing new movement on the koobface front Lately.
As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.
The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.
Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:
115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229
The javascript component being by used by koobface, remains bascically the same as before
And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:
gotrioscan(dot)com
plazec(dot)info
At some instances, we also get these warnings:
At the moment, these warnings are serving Internet Antivirus Pro.
In order to be protected against these attacks, users of PC Tools Spyware Doctor are advised to use the latest PC Tools update.
An earlier post about koobface can be found here.
Update:
Koobface has been going at it and here’s another one that spoofs youtube and serves koobface malware as a fake codec:
hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go
Posted in Malicious Intent, Rogue Apps | Tagged: 61.235.117.83, 71.197.170.226, C&C, fake codec, fake video codec, Internet Antivirus Pro, koobface, KROTEG, Malware Research Centre, My Computer online scan, Net-Worm.Koobface, PC Tools, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.InternetAntiVirus, scareware, security, setup.exe | 4 Comments »
Posted by Steve Espino on August 27, 2009
Another website has recently been spotted to be serving up malware in the guise of fake video codecs.
This one praises itself as “The Best Nude Celebrity Movie Site”
hxxp://alyssafan.net/1.html
But in order to watch the any video, we would need to download and install their “Certified ActiveX video codec (VAC codec) use to protect content Copyrights”
The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe
One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.
This script translates to:
This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe
Which then gives us scareware Safety Center:
Beware of fake video codecs!
Posted in Uncategorized | Tagged: alyssafan.net, fake alert, fake app, fake av, fake codec, fake video codec, Mediacodec, porn, rogue app, rogue av, Safety Center, scareware, security, The Best Nude Celebrity Movie Site, ue4x08f5myqdl.cn, video | 2 Comments »
Posted by Steve Espino on August 20, 2009
Another scareware has been spotted and it calls itself Windows Protection Suite.
You can get Windows Protection Suite from one of these urls:
hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D
It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user’s computer, detects heaps of infections, and offers a bogus solution.
Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.
Even their websites are clones:
hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com
Posted in Rogue Apps | Tagged: clone, fake alert, fake av, guardinfo.net, linewebsearch.com, rogue app, rogue av, scareware, searchscanner.net, security, Windows Protection Suite, Windows Security Suite, windowsprotectionsuite.com, windowssecuritysuite.com | Leave a Comment »
Posted by Steve Espino on August 13, 2009
I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:
It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c
Following the link, tinyurl does its magic and we are directed to:
hxxp://macrovirus(dot)com/?hop=starbasi
If we believe everything we see and hear, we’ll be downloading and installing a scareware:
Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.
Also, you might notice, there’s a striking resemblance between the following:
bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi
This is probably giving us a hint as to how the bad guys get paid.
If you got this scareware, remove it immediately.
Posted in Rogue Apps | Tagged: fake alert, fake av, macrovirus, qlft9c, rogue app, rogue av, scareware, security, starbasi, tinyurl | Leave a Comment »
Posted by Steve Espino on August 11, 2009
We’ve talked about digital clutter on a previous post.
But this one’s a real bugger. Winifighter creates heaps of junk binary files in the %systemroot% and %system% directories. The filenames, the contents, and filesize are all random. The names, however, contains bits and pieces taken from malware names such as the following:
backdoor
not a virus
spy
trojan
virus
worm
This one also, spoofs the Windows Security Center to give itself that authentic feel and advises unsuspecting users to register Winifighter.
Ad of course we also have those ever so genuinely adorable warning messages:
As always, I advise everyone to steer clear of these Rogue AVs.
Posted in Rogue Apps | Tagged: fake alert, fake av, rogue app, rogue av, RogueAntiSpyware.Winifighter, scareware, Winifighter | Leave a Comment »
