Archive for the ‘Rogueware’ Category

« Older Entries

Malware Attacks on Windows 7

Thursday, October 22nd, 2009

Yesterday’s release of Windows 7 brings with it a different playground for malware.


If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.


The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.

At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:


Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:


It’s reported to attempt uninstall on other security products, which was not observed on lab machines.

All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.

Posted in FakeAlert, Rogueware, Social Engineering | 6 Comments »

Rogueware Distribution Changes for Cyber Security

Wednesday, October 21st, 2009

The relentless rogueware distribution groups that we’ve been monitoring have changed their gig yet again, in their efforts to evade the typical AV solutions. And by the numbers this month, it seems that they are having a successful go at it.


The installer drops cs.exe to c:\program files\cs\cs.exe on your system and runs it, which prompts the user with nagging popups. If you are seeing “Cyber Protection Center reports that ‘Cyber Security’ is inactive” on your system, do not activate it:

Standard set of phony detections to scare the victim into paying for the software:

“Cyber Protection Center” gui has become the “usual” Microsoft security center spoof:

The naming has changed a bit. The typical download Url will look like a variant on this scheme:
91.212.107. 5/download/Soft_40s5.exe
91.212.107. 5/download/Soft_257.exe (starting 10/13)
91.212.107. 5/download/scanner-323_2007.exe
91.212.107. 5/download/scanner-323_2007.exe (starting 9/8)
91.212.107. 5/download/antivirus-8D5D21_2015-5.exe
91.212.107. 5/download/antivirus-32CED34_2007.exe (starting 8/12)

This month’s moves include ip and domain changes:
91.212.107.5
best-antispyware-09 .com
best-antispyware-11 .com
computer-protection-7 .com
computer-protection-9 .com
quick-antimalware-2 .com
top-antispyware-scan9 .com
topantimalwarescan5 .com
wwwantispyware-01 .com
your-pc-protection0 .com
your-pc-protection2 .com
yourantispyware-2 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

83.133.119.154
yourspywarescan0 .com
computer-protection-7 .com
computer-protection-9 .com
ftp.dot5productions .com
your-pc-protection0 .com
your-pc-protection2 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

85.12.24.12
computer-protection-7 .com
computer-protection-9 .com
your-pc-protection0 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com

Do not activate the product:

What will the group have in store in November? We’ll wait and see. In the meantime, PC Tools ThreatFire users and the recently award winning Spyware Doctor with AntiVirus 2010 (with Behaviorguard) are well protected from this round of scareware.

Posted in Rogueware, Social Engineering | No Comments »

NY Times FakeAv Banner Ads Certainly not New

Monday, September 14th, 2009

The banner ads allegedly rotating through the NY Times website over the weekend delivered FakeAv/Rogueware from servers that have been delivering the same stuff since around July 19th. The current Url over the weekend was protection-check07. com, but it changes frequently.

The ThreatFire community has seen this stuff effectively prevented on desktops using a variety of names since the servers have been delivering the FakeAv, also known as Downloader.MisleadApp, Trojan.Fakeavalert, XPAntivirus and Trojan:Win32/FakeXPA. Here are just a few of the resource variations that ThreatFire has identified over the past few months:

88.198.107.25 /DOWNLOAD/ANTIVIRUS-5920E_2007.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-E92EFB7_2024-2.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-8023A_2024-2.EXE

94.102.51.26 /DOWNLOAD/INSTALL-C8D161_2006-31.EXE
94.102.51.26 /DOWNLOAD/SETUP-A3B7FBB_2024-3.EXE
94.102.51.26 /DOWNLOAD/SETUP-3985EC_2009-2152.EXE

91.212.107.5 /DOWNLOAD/ANTIVIRUS-9F83_2024-5.EXE
91.212.107.5 /DOWNLOAD/INSTALL-9EC30A_2006-71.EXE
91.212.107.5 /DOWNLOAD/INSTALL-C22753_2004.EXE

These servers are hosted in Germany, the Netherlands, and Cyprus, but their victims are located throughout the world. In this case, potentially where-ever NY Times readers may be located. Be sure to add a behavioral based security solution to your system. The banner ads seem to have been acted on quickly, as there has been no additional reports and there have been no further identifiable malicious banners.

Posted in FakeAlert, Rogueware | No Comments »

« Older Entries