Blog entry here
Posts Tagged ‘scareware’
Porntube Anyone? Bonus Scareware!
Posted by Steve Espino on February 23, 2010
Posted in Malicious Intent, Rogue Apps | Tagged: fake av, fake codec, fake video codec, PORNTUBE2000, rogue, rogue av, scareware, SECURITY TOOL, VIDEO ACTIVEX OBJECT, VIDEO ACTIVEX OBJECT ERROR | Leave a Comment »
Scareware uses Fake Windows 7 Action Center
Posted by Steve Espino on December 8, 2009
Privacy Center, Privacy Components and Safety Center are some of the aliases used by this family of scareware that hide under the guise of a fake Windows 7 Action Center.
The scareware installer uses the filename win_protection_update.exe and once installed, this scareware displays fake scan results in an attempt to convince unsuspecting users into buying the fake software.
A lifetime license for this fake app amounts to a hefty $79.95 plus $19.95 for “Premium Support”.
Here are some domains related to distributing this attack:
software-scaner-online.com
scaner-online-malware.biz
PC Tools Spyware Doctor with Antivirus detects this scareware as RogueAntiSpyware.PrivacyCenter.AJ.
Posted in Rogue Apps | Tagged: fake, fake alert, fake app, fake av, Fake Windows 7 Action Center, fakealert, PC Tools, Privacy Center, Privacy Components, PrivacyCenter, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.PrivacyCenter.AJ, Safety Center, scaner-online-malware.biz, scareware, SDAV, software-scaner-online.com, Spyware Doctor, Spyware Doctor with AntiVirus, Windows 7 | Leave a Comment »
MaCatte scareware fools users by masquerading as McAfee
Posted by Steve Espino on November 3, 2009
MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.MaCatte
This scareware has been seen to be using a bogus My Computer online scan similar to ones we’ve seen here, here and here.
The online scan can be seen on this url:
hxxp://proscan5.info/25/26-088wLzQzL1EzL==
The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.
Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk
Unsuspecting users are set back from their hard-earned money by a hefty $99.
Stay away from these rogue apps.
Posted in Uncategorized | Tagged: fake app, fake av, MaCatte, MaCatte Antivirus, macatte.com, McAfee, PC Tools, proscan5.info, rogue app, rogue av, RogueAntiSpyware.MaCatte, scareware, security, Spyware Doctor, Spyware Doctor with AntiVirus | 2 Comments »
Winifighter Clone: TrustFighter
Posted by Steve Espino on October 13, 2009
Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.
Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.
Sample junk files are the following:
%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl
Here are some domains participating in this campain:
securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com
Unsuspecting users get set back by $49.95 from their hard-earned money.
PC Tools Spyware Doctor protects your computers from the scum of the universe (the digital universe) and aptly detects TrustFighter as RogueAntiSpyware.Winifighter.
Posted in Rogue Apps | Tagged: bestmalwaredetect.com, Malware Research Centre, MRC, pcprotectzone.com, rogue app, rogue av, RogueAntiSpyware.Winifighter, scareware, security, securityadjust.com, securityannounce.com, theatypxdd.net, TrustFighter, trustfighter.com, Winifighter | Leave a Comment »
Another Shameless SEO based on Atlanta Flooding
Posted by Steve Espino on September 22, 2009
Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.
Here’s a screenshot of a google search result:
A Fiddler capture shows us the redirections:
So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN
An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.
At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com
These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60
But knowing the trend in scareware, there could be heaps more domains being created as we speak.
PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.
Posted in Uncategorized | Tagged: 06d.ru, 15scanner.com, 213.163.89.60, 89.248.174.61, 89.47.237.55, Atlanta flood pictures, fake alert, fake av, idrb.com, PC Tools, read-cnn2.com, rogue, rogue app, rogue av, RogueAntiSpyware.TotalSecurity, scareware, SEO, Spyware Doctor, Total Security, winfixscanner7.com | Leave a Comment »
Koobface on the Move, Serving Scareware
Posted by Steve Espino on September 18, 2009
The PC Tools Malware Research Centre has been seeing new movement on the koobface front Lately.
As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.
The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.
Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:
115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229
The javascript component being by used by koobface, remains bascically the same as before
And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:
gotrioscan(dot)com
plazec(dot)info
At some instances, we also get these warnings:
At the moment, these warnings are serving Internet Antivirus Pro.
In order to be protected against these attacks, users of PC Tools Spyware Doctor are advised to use the latest PC Tools update.
An earlier post about koobface can be found here.
Update:
Koobface has been going at it and here’s another one that spoofs youtube and serves koobface malware as a fake codec:
hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go
Posted in Malicious Intent, Rogue Apps | Tagged: 61.235.117.83, 71.197.170.226, C&C, fake codec, fake video codec, Internet Antivirus Pro, koobface, KROTEG, Malware Research Centre, My Computer online scan, Net-Worm.Koobface, PC Tools, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.InternetAntiVirus, scareware, security, setup.exe | 4 Comments »
Porn site distributes scareware
Posted by Steve Espino on August 27, 2009
Another website has recently been spotted to be serving up malware in the guise of fake video codecs.
This one praises itself as “The Best Nude Celebrity Movie Site”
hxxp://alyssafan.net/1.html
But in order to watch the any video, we would need to download and install their “Certified ActiveX video codec (VAC codec) use to protect content Copyrights”
The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe
One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.
This script translates to:
This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe
Which then gives us scareware Safety Center:
Beware of fake video codecs!
Posted in Uncategorized | Tagged: alyssafan.net, fake alert, fake app, fake av, fake codec, fake video codec, Mediacodec, porn, rogue app, rogue av, Safety Center, scareware, security, The Best Nude Celebrity Movie Site, ue4x08f5myqdl.cn, video | 2 Comments »
Scareware asking for ransome: RogueAntiSpyware.System Security
Posted by Steve Espino on August 21, 2009
Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here’s one that does a bit more than just scaring.
RogueAntiSpyware.System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.
Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:
avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe
But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.
Here’s part of some disassembly taken from a sample of RogueAntiSpyware.System Security, showing us evidence of whitelisting:
Rogue app takes a snapshot of all the processes in the system:
.rsrc:140B4B4F push edi
.rsrc:140B4B50 push 2
.rsrc:140B4B52 call CreateToolhelp32Snapshot
.rsrc:140B4B57 mov [ebp+hObject], eax
...
.rsrc:140B4B79 push ecx
.rsrc:140B4B7A push eax
.rsrc:140B4B7B mov [ebp+var_64C], 22Ch
.rsrc:140B4B85 call Process32FirstW
...
.rsrc:140B4BAB push [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1 push 0 ; bInheritHandle
.rsrc:140B4BB3 push 1FFFFFh ; dwDesiredAccess
.rsrc:140B4BB8 call ds:OpenProcess
It then terminates the processes not found in the white list:
.rsrc:140B4C00 push 0FFFFFFFFh ; uExitCode
.rsrc:140B4C02 push edi ; hProcess
.rsrc:140B4C03 call ebx ; TerminateProcess
and displays this message as a notification in the system tray:
.rsrc:14039998 aApplicationCan: ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998 unicode 0,
.rsrc:14039998 unicode 0,
.rsrc:14039998 dw 0Ah
.rsrc:14039998 unicode 0, ,0
.rsrc:14039A5E align 10h
.rsrc:14039A60 aWarning: ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60 ; sub_140B4ADD+1DB ...
.rsrc:14039A60 unicode 0, ,0
.rsrc:14039A72 align 4
It then resumes processing the snapshot created earlier and the cycle continues:
.rsrc:140B4CDF lea eax, [ebp+var_64C]
.rsrc:140B4CE5 push eax
.rsrc:140B4CE6 push [ebp+hObject]
.rsrc:140B4CEC call Process32NextW
Here’s the list of applications that the scareware allows:
.rsrc:14046A48 off_14046A48 dd offset aAlg_exe ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48 ; "alg.exe"
.rsrc:14046A4C dd offset aCsrss_exe ; "csrss.exe"
.rsrc:14046A50 dd offset aCtfmon_exe ; "ctfmon.exe"
.rsrc:14046A54 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C dd offset aSlsvc_exe ; "slsvc.exe"
.rsrc:14046A60 dd offset aSmss_exe ; "smss.exe"
.rsrc:14046A64 dd offset aSpoolsv_exe ; "spoolsv.exe"
.rsrc:14046A68 dd offset aSvchost_exe ; "svchost.exe"
.rsrc:14046A6C dd offset aSystem ; "system"
.rsrc:14046A70 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74 dd offset aLsass_exe ; "lsass.exe"
.rsrc:14046A78 dd offset aLsm_exe ; "lsm.exe"
.rsrc:14046A7C dd offset aNvsvc_exe ; "nvsvc.exe"
.rsrc:14046A80 dd offset aWininit_exe ; "wininit.exe"
.rsrc:14046A84 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88 dd offset aWscntfy_exe ; "wscntfy.exe"
.rsrc:14046A8C dd offset aWuauclt_exe ; "wuauclt.exe"
As we can see, RogueAntiSpyware.System Security is more than just scareware. You won’t be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.
But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We’ve already taken one step into regaining full use of our infected computer.
We have previously discussed RogueAntiSpyware.System Security being linked to Net-Worm.Koobface and a fake Facebook website at an earlier post.
PC Tools Spyware Doctor with Antivirus detects and removes RogueAntiSpyware.System Security.
Posted in Malicious Intent, Rogue Apps | Tagged: app, blacklist, Facebook, fake, fake alert, fake av, Net-Worm.Koobface, PC Tools, ransomware, rogue, rogue av, RogueAntiSpyware.System Security, scareware, security, Spyware Doctor, terminateprocess, whitelist | Leave a Comment »
Rogue AV Clone: Windows Protection Suite
Posted by Steve Espino on August 20, 2009
Another scareware has been spotted and it calls itself Windows Protection Suite.
You can get Windows Protection Suite from one of these urls:
hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D
It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user’s computer, detects heaps of infections, and offers a bogus solution.
Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.
Even their websites are clones:
hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com
Posted in Rogue Apps | Tagged: clone, fake alert, fake av, guardinfo.net, linewebsearch.com, rogue app, rogue av, scareware, searchscanner.net, security, Windows Protection Suite, Windows Security Suite, windowsprotectionsuite.com, windowssecuritysuite.com | Leave a Comment »
Social engineering trick leads to Rogue AV: MacroVirus
Posted by Steve Espino on August 13, 2009
I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:
It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c
Following the link, tinyurl does its magic and we are directed to:
hxxp://macrovirus(dot)com/?hop=starbasi
If we believe everything we see and hear, we’ll be downloading and installing a scareware:
Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.
Also, you might notice, there’s a striking resemblance between the following:
bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi
This is probably giving us a hint as to how the bad guys get paid.
If you got this scareware, remove it immediately.
Posted in Rogue Apps | Tagged: fake alert, fake av, macrovirus, qlft9c, rogue app, rogue av, scareware, security, starbasi, tinyurl | Leave a Comment »
