Author Archive for admin

07
Nov

Spyware Protector

By lithium Comments
Categories: Database Update, ONLINENIC, Rogue Threats, Shestakov Yuriy and Spyware Protector

Note: The sites we talk about in this post distribute Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Here is a newer rogue threat we found to be active today.  The files are not available yet.

Spyware Protector

Whois:

ICANN Registrar:  ONLINENIC, INC.
Created:  2008-09-29
Expires:  2009-09-29
Updated:  2008-11-05
Registrar Status:  ok
Name Server:  NS1.FREEFASTDNS.COM (has 135 domains)
Name Server:  NS2.FREEFASTDNS.COM
Whois Server:  whois.onlinenic.com

Server Data
IP Address:  89.149.255.190
IP Location   - Germany - Netdirekt E.k
Response Code:  200
Domain Status:  Registered And No Website

DomainTools Exclusive
Registrant Search: “Shestakov Yuriy” owns about 4,332 other domains

Terse Summary:

GET hxxp://adserver.eosads.com/redirect3/traf.php?id=454 200 OK
GET hxxp://adserver.eosads.com/redirect3/scr.php?a=754739&lang=en-us&id=454&ref=http://spyware-protector.com/  200 OK
GET hxxp://spyware-protector.com/in.php  404 Not Found
GET hxxp://spyware-protector.com/install.php 200 OK
GET hxxp://spyware-protector.com/favicon.ico 404 Not Found

06
Nov

Antispyware 2008 Rogue Served Through Download.com Ads

By lithium Comment
Categories: Antispyware 2008, Database Update, Download.com, Motigo and Rogue Threats

A few months ago we warned of Google sponsored results pointing to rogue anti-malware applications  (read: Sponsored Result != Safe) and more recently we talked about malicious ad content being displayed through pop-up ads hosted by Motigo’s free analytic services (read: Antivirus 2009…brought to you by Motigo).  Today we received word from a fellow security researcher, mwdisector, that a rogue anti-malware application was being served via ads in the bottom right corner of the Download.com website.

In our previous post regarding a related incident where Motigo served Antivirus 2009 rogue pop-up ads we told website Owners to  make sure they fully understand the all of the risks involved in implementing third party tools, ads, or services.

It’s obvious that the ad companies are not doing a good enough job at making sure their links are safe.  For this very reason, you do not see Google Adsense or similar types of advertisements on Malware Database. It would result in our viewers being infected and that is something we cannot have.  MalwareBytes and Panda Security are two companies that we stand by and those are the only type of ads you will see here, ads that we can guarantee not to lead to infections.

Download.com does have an initiative for malware free downloads but they state nothing about making sure their text based and image advertisements are malware free.  We are hoping the people at Download.com read this and take a stand against current and future threats promoted through their sponsored ads!

Rogue sponsored link served via download.com

Antispyware 2008 ad

Points to the Antispyware 2008 Rogue

*Do not attempt to visit this site or download the software*

Antispyware 2008

What it looks like

Antispyware 2008

File: setupxv.exe
VirusTotal: Result: 12/36 (33.33%)
File size: 5620057 bytes
MD5…: 15134735aff21a9162bef607684b9ca4
SHA1..: 72eff32a2187c339115e6842f80f6aa2273c48be
SHA256: f438f8c9b9f04fb4ee4fbbd2b215abbffb863c99e4a7f28012b0b45c8fe628ed
SHA512: f1e6b742c32c2931697d3ac9c06010d91bb4014d87d5d3a7ac8b6f667e5a08d0
f52ab7bb7864d87ad1ee7d9e1f664713b2c59f529869719294f0b380d27f4e44
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×412c8f
timedatestamp…..: 0×4466b13c (Sun May 14 04:25:32 2006)
machinetype…….: 0×14c (I386)

Removal Information:Need assistance removing this malware?
Click here for more information about malware removal.
Don’t forget to ask for help in our user forums!

03
Nov

Antivirus Pro 2009 - Exploiting Human Weakness for Money

By lithium Comments
Categories: Antivirus Pro 2009, Database Update, Malicious Domains, Malware Removal, Rogue Security Software and Rogue Software

Note: Thie sites we talk about in this post distribute Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Almost everyday our viewers ask us about Rogue anti-malware software.  Out of all of the questions we receive, the most common is “When will these attacks stop?”  The sad truth is that we cannot see an end to this problem in near sight.  As long as the malicious individuals are able to trick or force users into downloading, installing, and eventually paying for their fake “Rogue” anti-malware products, they will continue to develop and push the envelope.

AntivirusPro 2009

Antivirus Pro 2009

The user will be prompted with the following message in the event that the browser blocks the download.  When the user clicks on “Click here to get full advanced real-time protection and continue browsing”, it will automatically forward them to the payment gateway page.

“Insecure Internet Activity. Threat of Virus Attack!  Due to the insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes”

Antivirus Pro 2009 Browser Warning

Installer:

There are three possible options to the Antivirus Pro 2009 Installer. Continue, Terms of Service and Cancel.

Antivirus Pro 2009

Canceling the Installation:

When attempting to exit the installer via the cancel button, the setting defaults to “Continue with installing and running free scanner.”

Antivirus Pro 2009 Cancel Install

Terms of Service:

Antivirus Pro 2009 Terms of Service

Interface:

The interface may look convincing to unsuspecting victims.

Antivirus Pro 2009 Interface

Scare Messages:

Victims are presented with various scare messages to entice a purchase.

“WARNING! Antivirus Pro 2009 has found 27 useless and UNWANTED files on your computer!”

Personal data at the reach of anyone’s hand

Internet history records available

Compromising and adult material stored on your system

Chat sessions’ logs and personal Emails easily reachable

Antivirus Pro 2009 Scare Tactics

Payment Gateway:

hxxps://secure.soft-payments.com via AS20495 (WEDARE We Dare BV Autonomous System)

secure.soft-payments.com

Antivirus Pro 2009 Payment Gatweay

SharedNS:

Antivirus Pro 2009 Shared NS

VirusTotal:

7/36 (19.44%) –>hxxp://www.av-pro-2009.com

7/36 (19.44%) –> hxxp://xp-as-2009.com

11/36 (30.56%) –>hxxp://xpas-2009.com

16/36 (44.44%)–> hxxp://av-pro2009.com

16/36 (44.44%)–>hxxp://avpro-2009.com

16/36 (44.44%)–>hxxp://avpro2009.com/

Removal Information:Need help removing this malware?
Click here for more information on the removal process.

Don’t forget to ask for help in our user forums!

03
Nov

Prodigy Antivirus - 5 files added - 1 domain added [Low Detection]

By lithium Comments
Categories: Database Update

Please do not visit the sites below.  The data discussed here is for informational purposes only!

I was doing my normal malware searching rounds tonight and came across a file called ProdigyAntivirus.exe.  The installer (ProdigyAntivirus.exe) drops 4 files inside of %windir% and is currently being hosted on a RapidShare account.

Session Summary:

#   Result    Protocol    Host    URL    Body    Caching
0   302  HTTP   prodigy-antivirus.com /179
1   302  HTTP   rapidshare.com /files/160002556/ProdigyAntivirus.ex[e]
2   200  HTTP   rs317tl2.rapidshare.com/files/160002556/ProdigyAntivirus.ex[e]

Installing:

Prodigy Antivirus

Files Dropped:

c:\windows\csrss.exe –> 6b4ec82b2ca24014a14a955d7f957eeb
c:\windows\alg.exe –> 8822188d4c681fc23804bbccb457136d
c:\windows\lsass.exe –> ee26d966411103783e6371543b843719
c:\windows\msinet.ocx –> 40d81470a19269d88bf44e766be7f84a

VirusTotal: 6/36 (16.67%)

ThreatExpert: 5fd5bb1f-1df6-4a26-a992-96b167c5a40d

31
Oct

Antivirus 2009 - 0 files - 2 new sites

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Antivirus 2009

Site:
http://antivirus-premiumscan.com
http://antivirus-scan-online.com/

Files: None yet

Shared NS (ns1.freefastdns.com and ns2.freefastdns.com):
antivir2009on.com
antivirus-consulting.com
antivirus-freescan.com
antivirus-pcscan.com
antivirusfree-scan.com
antiviruspctest.com
antvirushelp.com
defendyourpc.com
dexterupdate.com
expressdataupdate.com

29
Oct

Real Antivirus | Many Files Added - 1 Domain Added (2/36)

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

We found a new site pushing RealAV today.  The download link pushes more than one binary. This is NOT  a real Antivirus product!  Do not download or install it!

Real Antivirus

Site: http://real-antivirus.com  - http://real-antivirus.org
Download: hxxp://real-antivirus.com/cgi-bin/download.pl?code=00000000
File: RealAV.exe
VirusTotal: Result: 2/36 (5.56%)
Additional information
File size: 1954304 bytes
MD5…: aaa18c5564891bad2636e98c60c11842
SHA1..: 61ba85670781d513cd5166e50fc9b642295592db
SHA256: 642594b433ec6421764e58d8b556d9d3ead16254bacad50f49b3a9da239d89f3
SHA512: 9e131ef300832706bc823b8fdd3466f5bbd795a6a08c7611a1420bd309af4ce9
3d5cfb1b28a583a84a19914d17c342c0b0a05723cbef6f4c656b69c0f3a4532e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×5dc6b4
timedatestamp…..: 0×47d00775 (Thu Mar 06 15:02:13 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1dbfaa 0×1dc000 8.00 0149aea4dcfc5237618a57aec6faa4f8
.data 0×1dd000 0xaa3 0xa00 4.98 9a9e7d8c4e76cbfbef3957499f3edab3
.rsrc 0×1de000 0×398 0×400 3.07 abfcff94d64f4e80fd119ac67c89283a

ThreatExpert:

File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File MD5
1 %DesktopDir%\RealAV.lnk 620 bytes 0xE9A1298101E75059D6B2B2DAF50FD6D5
2 %Temp%\stylrit0.tmp 567,416 bytes 0xC8F83A8327B280A6E33CF667904C9607
3 %Programs%\RealAV\RealAV.lnk 632 bytes 0xC93690825D178EB769AD4473A5230818
4 %ProgramFiles%\RealAV\RealAV.exe
[file and pathname of the sample #1]		 1,954,304 bytes 0xAAA18C5564891BAD2636E98C60C11842
5 %ProgramFiles%\RealAV\vscan.tsi 10,073 bytes 0×5BC533CD757B5BC635EB6E7FAB5E1C8E
6 %ProgramFiles%\RealAV\zlib.dll 196,608 bytes 0×4D60C419FB5BB06D30B6F6AD5607E480
  • The following directories were created:
    • %Programs%\RealAV
    • %ProgramFiles%\RealAV
    • %ProgramFiles%\RealAV\Infected
    • %ProgramFiles%\RealAV\Suspicious
    Registry Modifications
  • The following Registry Key was created:
    • HKEY_CURRENT_USER\Software\RealAV
  • The newly created Registry Values are:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • RealAV.exe = “%ProgramFiles%\RealAV\RealAV.exe”

      • so that RealAV.exe runs every time Windows starts

    • [HKEY_CURRENT_USER\Software\RealAV]
      • Autorun = 0×00000001
      • RegisterShellExtension = 0×00000001
      • CheckForUpdates = 0×00000000
      • QuickScanAtStartup = 0×00000001
      • StartMinimized = 0×00000001
      • ID = 0×00000001
      • ScanArchives = 0×00000001
      • ScanFiles = 0×00000001
      • ScanMail = 0×00000001
      • ScanProcesses = 0×00000001
      • ScanRegistry = 0×00000001
      • BasesVersion = 0×00000001
      • CoreVersion = 0×00000001
      • TotalScans = 0×00000001
      • lastScanDate = 0×130A07D8
      • lastScanTime = 0×122D003B
      • lastUpdateDate = 0×00000000
      • lastUpdateTime = 0×00000001
24
Oct

Antivirus XP 2008 morphs to MS Antivirus to Antivirus VIP

By lithium Comments
Categories: Antivirus VIP, Antivirus XP 2008, Database Update, MS Antivirus and Rogue Security Software

It’s no surprise that rogue security software authors have to get creative when trying to infect as many people as possible.  Especially when we work very hard to keep them exposed.  Among many techniques, they use mutilated domain naming schemes, affiliate system abuse, redirection and almost always the last ditch attempt at improving their infection ratio is morphing.  Remember when we talked about XP Antivirus 2008 morphing to MS Antivirus? Today we detected a new morph in the XP Antivirus series.  Antivirus XP 2008 morphed to MS Antivirus on August 21st and today it morphed to Antivirus VIP.

Antivirus VIP

Site: http://antivirus-vip.com
File: Not Available Yet

Server Data

IP Address: 216.32.76.87
IP Location United States - Texas - Plano - Layered Technologies Inc
Response Code: 200
SSL Cert: www.antimalware-pro.com expires in 332 days.
Domain Status: Registered And Active Website
23
Oct

Antivirus 2009 - 2 files added - 5 domains added (Low Detection) 1/36

By lithium Comments
Categories: Antivirus 2009, Database Update, Infection, Low Detection, Malicious Domains, Malware Removal and MalwareBytes

Today I came across a new Antivirus 2009 binary with a 1 out of 36 detection ratio on VirusTotal.  The session starts at antivirus-best.com and that page is reduced to a pop-up message, as usual.  Then we are briefly taken to voodoorevenue.com where the affilliate information for the malware creators is sent and then redirected to the point of download, protection-overview.com.

Screenshot:

Antivirus 2009

Removal Information:

We successfully tested MalwareBytes to remove this threat. 
Click here for more information on the removal process.

Malware Bytes

Session Summary

#    Result    Protocol    Host    URL    Body
538    200    HTTP    antivirus-best.com    /
539    200    HTTP    antivirus-best.com    /window.js
540    200    HTTP    CONNECT    urs.microsoft.com:443
541    200    HTTP    antivirus-best.com    /_freescan.php?id=
542    200    HTTP    antivirus-best.com    /fileslist.js
543    200    HTTP    antivirus-best.com    /progressbar2.js
544    200    HTTP    antivirus-best.com    /common.js
545    200    HTTP    antivirus-best.com    /hat1.jpg
546    200    HTTP    antivirus-best.com    /pixel_trans.gif
547    200    HTTP    antivirus-best.com    /bgleft.gif
548    200    HTTP    antivirus-best.com    /disks.gif
549    200    HTTP    antivirus-best.com    /bgtop1.gif
550    200    HTTP    antivirus-best.com    /warning.jpg
551    200    HTTP    antivirus-best.com    /pbbg2.gif
552    200    HTTP    antivirus-best.com    /table1.gif
553    200    HTTP    antivirus-best.com    /footer.gif
554    200    HTTP    antivirus-best.com    /bgright.gif
555    200    HTTP    antivirus-best.com    /popup4.gif
556    200    HTTP    antivirus-best.com    /pbbg.gif
557    200    HTTP    antivirus-best.com    /closebutton.gif
558    404    HTTP    antivirus-best.com    /favicon.ico
559    200    HTTP    antivirus-best.com    /warning2.jpg
560    200    HTTP    antivirus-best.com    /table2.gif
561    302    HTTP    voodoorevenue.com    /soft.php?aid=0777&d=100&product=XPA&refer=c79bfd2d5
562    302    HTTP    protection-overview.com    /2009/100/freescan.php?id=880777
563    200    HTTP    protection-overview.com    /2009/download/trial/A9installer_880777.exe

After Install

780    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
781    206    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
782    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by:a9installer_880777:1580
783    200    HTTP    secureupdateservice.com/firstrun.php?product=AV9&aff=880777&update=2409av9nv&time=00:00:00 > by:  av2009:732

Files:

DownloadPath\$$$$$$$$$.bat (deletes the installer)
%ProgramFiles%\Antivirus 2009\av2009.exe
%SystemRoot%\System32\scui.cpl

Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: 66878074513444726827872864318771
Value: C:\Program Files\Antivirus 2009\av2009.exe

File: A9installer_880777.exe
VirusTotal: 1/36 (2.78%)

Additional information
File size: 139776 bytes
MD5…: b0674e8e6c99de286a62b2fde5358110
SHA1..: ee50b8901e011e56ff9b0ddaa045e8e54500426f
SHA256: cef3a6aae1291b1e2335cd034953ff1936bb38c1e2406256700266ee7269adc9
SHA512: 06fd1e8ad4b39f04f0862a7b8eadd4a00eaa7c99cd7e3c3e547326728cae8b35
023030034e4c3809d61976c63ce6ab337e480d59076b6a942cff8303b8550c41

File: av2009.exe
VirusTotal: 3/36 (8.33%)

Additional information
File size: 1265152 bytes
MD5…: dd624cacbcf3b1a0e39f2724fc7eca54
SHA1..: 99e1a1219ef624dafb3faa3e02d7addf8fc4203f
SHA256: a1c7724a05a37d7a842be34acf0c42fc37f019c6f5b49cd2e00d48baa14d7a91
SHA512: 9623e0d41c42a69621e601eb893ab4bf2d0e0f8660a52698c4e6d3035f609baf
8546279aa40eca1c2f9cde767c0e17dacbc9f26ef6dfb54bbb7c496441b6f50a

Removal:

Remove this threat with MalwareBytes!

21
Oct

XP AntiSpyware 2009 - 1 site added - 1 file added

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.  See how to remove XP AntiSpyware 2009 below.

We came across yet another XP AntiSpyware 2009 page today.  The layouts have been getting even more professional looking and of course they are still stealing design elements from the Microsoft web site and product lines.

Related: http://malwaredatabase.net/blog/index.php/2008/10/09/e-cardexe-threat-braviax-xp-antispyware-2009/

XP AntiSpyware 2009

Site: http://xpas-2009.com
File: Install.exe
Virus Total: Result: 22/36 (61.12%)
File size: 83892 bytes
MD5…: 0d21323b462dc15ddab0bc7012421ed6
SHA1..: bf9f58afb9bc96e95e0295d4b21ca945bf2ebe8f
SHA256: 8c7c575730f0c5a77f0cf1756876fd4956a0b3b3a9d23f9e7462c19868fb6600
SHA512: 74d5122447f84a819c14dbb2948713f0eb2d4ef1332665d5341287cdfa5ba4d0
53faa4cc00544218ce6ae6176668e1828ee61ffde825bf95da3aaa820c564fdf

Removal:

Remove this threat with MalwareBytes!

20
Oct

Smart Antivirus 2009 - 1 Site Added - 1 File Added (0/36)

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.  See how to remove AntiMalware 2009 below.

Today we found an older Smart Antivirus domain distributing a newly undetected (0/36 on VirusTotal) rogue installer.

Smart Antivirus 2009

Site: http://s-avirus2009.com
File: setup.ver1_1000.0_.exe
VirusTotal: Result: 0/36 (0.00%)

File Size: 114688 bytes
MD5…: b55bc958eb37ae1e2c325d45857c22eb
SHA1..: 4dd883998504bd856b5fe343b2242e1f5eb49b97
SHA256: cbb56264d1abc9c77502f93b0ad7a4d1749f60dd3bf916e9fad41f7332b0b622
SHA512: b09ddceb8fe45b5e8e6053cb6f7223093b41f8a91cbb1bdaff7fb5270e22391d
58e49240924f4e8939fd35e34f372c96a6391b97438e76e9c5b99fa8db5f100a

Removal:

Remove this threat with MalwareBytes!

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit