Author Archive for mwdisector

20
May

FOX serving up malvertisement leading to scareware products

By mwdisector Comments
Categories: Database Update, Malicious Domains and Rogue Security Software

An advertisement for car insurance served up by the “FOX Audience Network” (domain fimserve.com) is redirecting visitors to a couple different scareware/rogue security software websites. These scareware websites perform a fake virus scan and then tell the victim they are infected (when in reality they aren’t) and to download their “security” application to clean them up. Their security application does not perform as advertised. Typical method-of-operation for the scareware purveyers.

malvert-ad-screenshot

uniqviruscleanercom-screenshot

Leads to ==>

WARNING: Stay away from this badness!

Malvert link:
hxxp://cache.fimservecdn.com/contents/377/311/311377/CR_autopolicyweb_728x90_V6.swf?clickTag=http%3A//delb.opt.fimserve.com/lnk/%3Fk%3DMzY5N

Scareware/rogue website links:
hxxp://windows-helpcenter.com/?id=198760222
hxxp://uniqviruscleaner.com/index.php?affid=08043

windows-helpcenter.com – 83.229.250.27
uniqviruscleaner.com – 209.44.126.241 (Registered today 5/20/2009)

VirusTotal scan of rogue application file shows 6/40 detections:
http://www.virustotal.com/analisis/c4bd7049e54a00b21e978c6227849bd7

–mwdisector

01
May

No magic with this rogue

By mwdisector Comments
Categories: Database Update and Rogue Security Software

I was taking another stroll around the seedy side of the Internet the other day hunting for rogues and it didn’t take long to antiwareprotectcom-website-screenshotfind one.  It’s called Spyware Protect 2009, original name there ha ha.  It’s another fraud/scareware product that requires you to hand over $49.95 before you can try out what I’m *sure* is a great fully functional anti-spyware product (*cough* *cough*). ;)

As I poked around their website I noticed information about the company behind the software and I decided to do some Googling.

The company they claim to be is Magic Software, Inc.  I find a company with that name in antiwareprotectcom-companyinfo-website-screenshotmy search, except they are actually called Magic Software Enterprises.  They appear to be legitimate with a legit NASDAQ stock listing and everything (MGIC).  Their website (http://www.magicsoftware.com/).  And then I found what I thought I’d find: a fraud alert notice linked off their home page.

 

realmagic-software-company

“We are aware that there is an entity pretending to be Magic Software Inc., distributing notices promoting Spy-protec.com, a corrupt website soliciting visitors to purchase its anti-spyware called Spyware Protect 2009.  Please be advised that both Spy-protec.com and Spyware Protect 2009 are fraudulent browser programs that hijack your computer and modify your browser configuration.  Please be aware that this fraudulent entity has nothing to do with either Magic Software Enterprises Ltd., or Magic Software Enterprises Inc. We are not a part of, and we have no relations with this aforementioned entity.”

So, there IS a real Magic Software but they don’t sell anti-spyware software.  Big surprise – the criminals behind the fraudware are using yet another deceptive tactic.

WARNING: Stay away from these domains, nothing but badness!

spy-protec.com (n/a)
REG DATE: January 1, 2009
REGISTRAR: REGTIME LTD.
STATUS: Placed on hold, no registrant info

antiwareprotect.com (91.212.65.122)
REG DATE: April 13, 2009
REGISTRAR: BLUE GRAVITY COMMUNICATIONS, INC. (I’ve seen alot of registrars but have never seen this one before)
REGISTRANT: Protected by PrivacyProtect.org (No surprise there)

91.212.65.122 has a couple of bad domains on it:
antiwareprotect.com
spyware-protector-2009.com
secure.spyware-protector-2009.com

The whole 91.21.65.0/24 block has a bunch of rogue suspects like:
free-webscaners.com
free-web-scaners.net
free-web-scaners.org
globalsecurityscan.com
securedonlinecomputerscan.com
antivirusxppro-2009.com
spywareprotector-2009.com
spyware-protector-2009.com
internetsafetyexamine.com
malwarefront.info
antivirus-xp-pro-2009.com

–mwdisector

25
Apr

Rogue security app quality = fail

By mwdisector Comments
Categories: Database Update and Rogue Security Software

I was going around the Internet hunting down rogue security applications the other day and I found a couple websites serving up a what seems to be a commonly used rogue that performs a fake security scan when you visit the website.

pcguardscancom-scanning-screenshot

 No big deal. However when it attempted to download and run the rogue app onto my test system the rogue application gave an error saying it wasn’t an executable file. I was unable to install it.

yourpcshield-com-post-scan-infection-warning

yourpcshield-com-broken-installer

So much for their plan to collect revenue from this scareware rogue security application. I think they better invest in some better quality assurance people and practices. LOL.  Details…

WARNING: Stay away from these domains, badness!

209.44.126.14
Country: Canada
OrgName: Netelligent Hosting Services Inc.

pcguardscan.com
yourpcshield.com
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. DBA PUBLICDOMAINREGISTRY.COM

–mwdisector

16
Apr

Auto websites used to spread malicious PDF and Flash files

By mwdisector Comments
Categories: Database Update, Malicious Domains and Malware

Websites with names that sound like they are legitimate auto places are spreading malicious PDF and SWF/Flash files. When visiting the site they will bring up an iframe with the malicious PDF and Flash files.

liteautorepaircn-screenshot

One interesting thing about these sites is that if the visiting machine doesn’t have a PDF or Flash web browser plugin than the malicious code isn’t dropped onto the system. While this isn’t a new technique I’m seeing it used more and more. In the past the files would be dropped onto the victim and attempted to run only to either fail silently or prompt the user asking how to handle the file.

The other thing is the malware kinda tips it hat because the iframe it brings up is visible, as opposed to typically hidden, but yet is too small for the PDF it’s displaying inside.  What’s the point of this?  Not sure why they didnt just bring up the iframe in full screen or least large enough to display more of the PDF and thus not raise any suspician.  Maybe future revs will improve this.  You reading this CQA/MQA department?  [Criminal/Malicious Quality Assurance]  ;)

Their SW department did it’s job (Stealth Ware) because the malicious files served up are currently not being detected well:

readme_1_.pdf
VT scan 4/40 detected as malicious PDF/Gen:
http://www.virustotal.com/analisis/39320af4f3fceb3eae2ed6d89e0c914a

flash_1_.swf
VT scan 4/38 detected as exploit SWF/Gen
http://www.virustotal.com/analisis/df84f0a440e97b3b1c7fd583a091be4c

Stay away from these sites – nothing but BADNESS exists there!

liteautorepair.cn
liteautofinestsite.cn
liteautogreatest.cn
litehitscar.cn
hyperliteautoservices.cn

–mwdisector

23
Mar

Fake Reuters news story featuring Waledac malware

By mwdisector Comments
Categories: Database Update, Malicious Domains, Malicious Links and Malware

The fake video player tactic continues with fake news websites popping up from the underworld ready to *play* on your Windows computer. The story does not end well for the computer owner as their system will be totally compromised ready for the criminals to do what they want. The malware that’s on these websites are Waledac trojans.fake-reuters-story-malware-site

hxxp://ynh.bestbreakingfree.com/main.php
leads to –> hxxp://ynh.bestbreakingfree.com/contact.exe

contact.exe
VirusTotal.com scan (8/39) detected as Waledac trojan:
http://www.virustotal.com/analisis/69c00e90f104010ecaea376ffa124a7a

WARNING: Malicious code on sites identified below, visit at your own risk!
Domains & IPs:
ynh.bestbreakingfree.com (67.180.35.24)
ns6.goodnewsdigital.com
ns1.urbanfear.com
ns4.spacemynews.com
ns6.wapcitynews.com
ns1.worldnewsdot.com
ns4.urbanfear.com
ns1.antiterrornetwork.com
ns6.bestusablog.com
ns3.bestlifeblog.com
ns2.urbanfear.com
ns3.blogsitedirect.com
ns6.antiterroralliance.com
ns2.tntbreakingnews.com
ns3.blogginhell.com
ns3.breakingkingnews.com
ns6.breakingnewsltd.com
ns1.breakingnewsltd.com

–mwdisector

11
Mar

Google serving up NASCAR news story leading to evil links

By mwdisector Comment
Categories: Database Update, Malicious Domains, Malicious Links and Rogue Security Software

WARNING: Some domains and websites listed are full of EVIL!google-link-screenshot-highlight

I’m not a NASCAR fan but a buddy of mine is.  So when he told me about a virus scan starting on his PC after visiting a NASCAR link I became interested.  After looking into this deeper I discovered a rogue security software being served up drive-by fashion when you clicked on a link served up by Google.

It’s found when you enter “NASCAR Atlanta Jimmy Watts” into Google.  I guess this NASCAR driver had some crew issues resulting in some suspensions – obviously a popular enough news story for the criminals to use it to push their fake warez.

The evil links served up are:
hxxp://5.hotnews.xorg.pl/19.php
hxxp://3.cnnnews.xorg.pl/91.php

Clicking on one of these (DON’T ADVISE IT) will redirect to another website which will then present you with a prompt saying your machine contains signs of viruses amd malware and then wants you to run a scan, using their fake scan of course.  At end of the scan it will show you all the malware it found on your machine, incidently none of those are actually on your computer, and then installs some evil software on your system.

 

Let’s follow the bouncing rogue software links…

Google search URI:
http://www.google.com/search?hl=en&q=NASCAR+Atlanta+Jimmy+Watts&btnG=Search

Serves up the following bad links (visiting with IE):
hxxp://5.hotnews.xorg.pl/19.phprogue-sec-sw-fake-scan

hxxp://3.cnnnews.xorg.pl/91.php

These links redirect users to fake security software using drive-by install tactics:

hxxp://xp-police-09.com/lands/promo3

 

Digging a little deeper into the “xorg.pl” domain we find more evilness (with plenty of redirects):
hxxp://clubs.epxbbx.xorg.pl/map.html
–> hxxp://advertisechoice.cn/soft.php?aid=025304&d=1&refer=729adbe66

—–> hxxp://bestantimalwarescanner.com/promo/1/freescan.php?nu=77025304&back=%3DTQx4jj3NQMMMI%3DM

 

evil-google-link1Domains/IPs:
xp-police-09.com (206.125.44.28)
3.hotnews.xorg.pl (213.155.2.37)
5.hotnews.xorg.pl (213.155.2.37)
clubs.epxbbx.xorg.pl (89.149.207.139)
advertisechoice.cn (83.133.126.201)
bestantimalwarescanner.com (194.165.4.7, 209.160.20.117)

09
Jan

Fake news and CNN.com websites featuring malware

By mwdisector Comments
Categories: Database Update, Malicious Domains, Malware and Phishing

A new attack involving fake news and CNN websites is spreading malware.  The attack is very similar to the Classmates.com attack where an email is sent to the victim with a link to a fake CNN.COM website that features a fake video that is really a trojan and rootkit.

Interestingly, the content looks like it was ripped off of CNN’s website because the links referenced CNN.com content.

WARNING: Websites hosting malicious content!fake-cnn-site-with-fake-video

Domains involved:
createnewsforccn.com
downloadplayersnews.com
enemyisraelattack.com
exlporernews.com
israelgazaconflict.com
newsforusacnn.com
startinstalladobe.com

Fake video malware file:
Adobe_Player10.exe

–mwdisector

30
Dec

Phishing emails pointing to fake Classmates.com website featuring malware

By mwdisector Comments
Categories: Database Update, Malicious Domains, Malware and Phishing

In the past couple months there has been phishing campaigns against Classmates.com.  On a regular basis emails talking about class reunions containing links pointing to fake Classmates.com websites have spewed onto the Internet.  These fake websites have fake videos which are actually malware (EXE file) designed to take control of your computer and using trojans and keyloggers. Oh and by the way, these EXE files will automatically try to download onto your PC without you clicking them.

WARNING: Websites hosting malicious content!

classmates-reunion-phish-email

FROM ADDRESSES:
Classmates Alert Center
Classmates Community
Classmates Help Center
Classmates Management
Classmates Meeteng Center
Classmates Member Center
Classmates Messagebox#
Classmates Online Center
Classmates Reunion Center
Classmates Shedule Center
Classmates Support Center
Classmates Technical Support
Classmates Video Center

SUBJECTS:
Classmates Important Meeting Information
Classmates Organisation.Class Reunion Information
Classmates Organisation.Class Reunion Planner
Classmates Organiser Warning – Meeting high school and junior college classmates
Classmates Organiser Warning – This is a forum where you can make any suggestions for the Reunion.
Classmates Party invitation…
Classmates Party invitation…
Classmates Preview, public invitation
Classmates Reunion -  Invitation
Classmates Reunion – Classmates Reunion – Special Preview Invitation
Classmates Reunion – Congratulations Today !
Classmates Reunion – Invitation: Ready
Classmates Reunion – Your Classmates Invitation – He’s Ready, Are You?
Classmates Reunion – unique invitation.
Classmates Reunion Soon – Classmates Organisation.What Have You Been Up To
Classmates Reunion Soon – Important Dates for Classmates Meeting
Classmates Video your personal invitation by John
Currently planning the 2009 Year Reunion
Do Not Miss Tonight’s Classmates Reunion !
Please Do Not Miss the Classmates Meeting!
Revised reunion date announced
Webster meetings among former classmates
Welcome to Classmates Personal Invitation
You have one new message. Classmates
Your Classmates Are Waiting – AN URGENT MESSAGE
Your classmates Day New Date..How can someone miss a Classmates meeting?
Your classmates Day New Date.A Meeting with my HighSchool Classmates
Your own unique invitations from classmates.

ROOT DOMAINS:
adobeflasplayer10.com
classmateqs.com
classmatersunion.com (24.136.176.91, 68.51.164.175, 75.63.170.53, 76.27.148.240, 98.217.125.105)classmatescom-phish-website
classmatesupdates.com
dnuemjsi.com
downloadservers7.com
downloadupdateadobe10.com
flashadobeplayer9.com
getinstallations.com
happynewyearclassmates.com
indexguideclassmates.com (68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240, 67.172.60.164)
installationsadobeflash10.com
keiortue.com
kertuierp.com
meetingclassmaterss.com
meetwithyourfriends.com
merrychristmassclass.com (208.78.242.184)
newflashadobe.com
newklassmates.com (208.73.210.121)
newyearclassmates.com
reinstallflash.com (67.172.60.164, 68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240)
reunionclassmates.com
sdunsosdu.com
serveronlines.com
serversupdates.com
user-X1aR1qC1newclasshost.com
user-j1oz1zj1newklassmates.com
user-m1qa1nk1updatedclassmates.com
user-p1pc1iu1getinstallations.com
user-x1ar1qc1newclasshost.com
vreied.com
vreixs.com

FAKE VIDEO MALWARE FILE:
Adobe_Player10.exe
VT coverage 27/38:
https://www.virustotal.com/analisis/4d17de3d6ba580900af852ed5ad9a52f

–mwdisector

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930