|
Archive for July, 2009
Friday, July 17th, 2009
John Bambenek over at the Handler’s diary posted on this morning’s shameless SEO attempts to redirect news seekers to exploit pages. The end result on a successfully compromised system is a download of FakeAv (or “scareware”). Currently, its name is presented as “Personal Antivirus”:
The ThreatFire community is safe from pav.exe, and there have been a number of triggers on various versions of the file early this morning. Detection by the major AV vendors is very low to non-existent for the current variants.
Surprisingly, the Waledac and Zbot groups have been quiet on this news story so far. We’ll monitor the situation closely.
Posted in Exploit, FakeAlert, Rogueware, Social Engineering | No Comments »
Thursday, July 16th, 2009
The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group is finding success in their new addition, freepornmovies.40067.exe. The ThreatFire community is protected from these downloaders, and the newest is showing up in higher volumes.
For the most part, this downloader is being served from 64.20.38.172. The following domains currently resolve to that address:
exe-direct. com
exe-get. com
exe-online-world. com
exe-paste. com
exe-porto. com
exe-site. com
exefileformat. com
exenetsfiles. com
freeexefiles. com
hotexefiles. com
my-exe-load. com
newexefile. com
red-exe. com
robo-exe. com
soft-exe. net
the-exefiles. com
tiaexe. com
The downloader itself currently is pulling down embedded, encrypted malicious files, described in a previous post, from
myart-gallery. com
robert-art. com
superarthome. com
Be wary of codecs that may be tempting to download and run.
Posted in Blackhat, Embedded trojan, FakeAlert, Rogueware | No Comments »
Thursday, July 16th, 2009
Users continue to get slammed by a Rogue Antivirus distributor. We’ve posted before about the prevalent Virut family redirecting compromised hosts to download FakeAv or scareware product. You can see a screenshot of the previous scareware scam “Secure Antivirus Pro” from “Guardog Computing” at the previous post. Compare to the current version “Advanced Virus Remover PRO”:
Along with modifying tcp drivers, another fairly prevalent and currently active malicious component is editing hosts files with the same effort, adding the following entries to the hosts file on victim systems:
92.241.176.188 advanced-virus-remover2009. com
92.241.176.188 www.advanced-virus-remover2009. com
Check out the image in the TE report, the lvllord component reports on its own maximum concurrent half open tcp connection editing functionality there with “VALUES HIGHER THAN 100 ARE NOT RECOMMEND! Worms will be able to spread very fast!” It is obvious what tool these distributors are bundling and reusing in an attempt to increase the networking throughput of the system.
When there is money to be made on scareware, the same behaviors will be displayed again and again in malware, including the stuff by sloppy authors.
Posted in Rogueware | No Comments »
|
|
|
|
