|
Archive for the ‘Rogueware’ Category
Tuesday, February 16th, 2010
The group behind “live-windowsantivirus. com” is having a very busy morning distributing Rogueware XP Internet Security 2010. We grabbed some snapshots for you of the current incarnation of the malware, since users appear to be falling for it in large numbers. The full window and the balloon popup stating “System Danger! Your system security is in danger” must be convincing…
Fake scan results are presented immediately…
As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.
Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…
When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…
Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:
Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:
ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.
Posted in Dropper, FakeAlert, Rogueware, Social Engineering, Trojan, Uncategorized, Undetected malware | 10 Comments »
Wednesday, February 3rd, 2010
Rogueware Internet Security 2010 (not to be confused with PC Tools Internet Security 2010) is moving its way to the top of ThreatFire’s community stats to be one of the highest hitting FakeAv/scareware/rogueware packages for January 2010 and the beginning of Feb. Not only is its prevalence glaring, but the infection itself visually and functionally stands out:
Victims of this scam will have a hard time ignoring the screaming new message on their desktop, “YOUR SYSTEM IS INFECTED”. The familiar red X appears in the system tray in the lower right corner of the screen, and multiple phony scan images subsequently pop up.
Next up is a phony but thorough listing of all the detected malware that doesn’t really exist on the user’s system, described with a “Critical vulnerabilities found!” header and a mishmash of security industry buzzwords thrown together in a non-sensical phrase “Proactive system found several active vulnerabilities on your computer”…
And, after shocking the user with this series of blatently false warnings, coming up is the money maker, a suggestion that the user get a license or pay for Internet Security 2010:
If the user ignores the above warnings and tries to continue their work, they instead are assailed with scare-tactic messaging from the bottom right corner of the screen…”Click here to protect your computer from spyware!”…
And “System Warning! Continue working in unprotected mode is very dangerous”, another phony taunt…
Good thing that ThreatFire can keep this stuff off of your system in the first place, and Spyware Doctor+AV is known to effectively clean up previously infected systems.
Posted in FakeAlert, Rogueware, Social Engineering | 1 Comment »
Thursday, December 31st, 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.
Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.
Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.
As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.
Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »
|
|
|
|
