Rogue uses ‘update manager’
It’s been a while since I last wrote about rogues. Some basic computing principles should be repeated over and over again though.
The screen below is very familiar. A ’scan’ that says you are infected. Can you trust it? NO!!!!
But here’s a new thing, an ‘update manager’ a la Adobe
The program gets installed wether or not you click the button.
Your PC then becomes sluggish and your favourite browser no longer works:
‘make a full scan’ is that good English? If you’re gonna do it, do it right no?
Fortunately, the app itself will let you ‘browse’ the payment page (how nice of them)
Those interested in the file can get its ID below.
Jerome Segura
Malware ID: 22d4a32d169c40c265a99207cfb7bced.zip
|
Porn Fraud Tool
Our Honeypot caught this piece of malware that presents itself as some sort of poorly written app.
A few buttons here and there… My guess is that this app should be hidden, and that it would simulate user clicks, hence generating money for the scammers… Well, my PC froze on it, so I was able to capture it.
It strongly reminds me of the old Porn Trojan.
After a hard reboot, I noticed that my Desktop’s wallpaper had been changed:
It creates several files set to run at startup:
Very soon after, it was porn galore on my machine. Better stay away from this!
The file is somewhat detected on Virus Total:
Jerome Segura
Malware ID: Â d75eca38884f44926ff51f84b0033be6.zip
|
Malware repo gets updated
This is an update from my previous post. I noticed an update to one of the pages on the malicious site
oymoma-tube.freehostia.com
Check the screen below and see the July 3rd time stamp:
The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec:
Upon execution, fake alert messages such as this one:
Eventually the scareware will run:
This sample is poorly detected, especially for being a variant of an already known rogue:
Paretologic detects this file as:
Jerome Segura
Malware ID:Â dcfe992aa25bb1849c1e9f8c2c5d3c5b.zip
|
Fake Celebrities site drops malware
Thise site popped up on my radar… The fake Flash Player is malware, of course.
I was very surprised to see that only 3 AV vendors detect this threat!
Jerome Segura
Malware ID:Â 260f8513934016b9eafb6e9edf650c01.zip
|
Large cluster of fake AV
This is a pretty large number of domains on the same IP address delivering scareware programs.
The IP is 209.44.126.241
besecurityguardian.com
bestyourtrust.com
bitsecuritycenter.com
brasll.com
fullpcvirusscan.com
fullsecurityaction.com
gisecurityshield.com
godsecurityarchive.com
hortshieldpc.com
hupersecuritydot.com
intellectsecfind.com
intellectsecurityshield.com
libecoolsites.com
libertysecuritytool.com
mail.allowedwebsurfing.com
mail.godsecurityarchive.com
mail.hupersecuritydot.com
mail.intellectsecurityshield.com
mail.libecoolsites.com
mail.moregreatsites.com
mail.souptotalsecurity.com
mail.uniqtrustedweb.com
mail.upsecurityscanned.com
moregreatsites.com
mx241.brasll.com
ns1.godsecurityarchive.com
ns1.hupersecuritydot.com
ns1.libecoolsites.com
ns1.moregreatsites.com
ns1.souptotalsecurity.com
ns1.truesecuredpcs.com
ns1.uniqtrustedweb.com
resecurityaction.com
scanpcsecurity.com
scantrustsecurity.com
securetopshield.com
securexdetect.com
securityfastscan.com
securityshieldcenter.com
securityuniqscan.com
sidewebvirusscan.com
souptotalsecurity.com
thefirstupper.com
todaysecuritytop.com
totalsitesarchive.com
totalvirusshield.com
uniqtrustedweb.com
upsecurityscanned.com
virusdestroyerboost.com
www.allowedwebsurfing.com
www.bestwebscantools.com
www.fullsecurityaction.com
www.fullvirusprotection.com
www.hupersecuritydot.com
www.intellectsecurityshield.com
www.moregreatsites.com
www.truevirusshield.com
xvirusdescan.com
I downloaded one of the files and detection on VirusTotal is fairly low (8/41)
Just out of curiosity, I checked it against our Zheng heuristic system and we proactively detect it already 
Jerome Segura
Malware ID:Â bb2de997ea9d38c1895b6e115e16407b.zip
|
Fake Porntube Malware
I came across yet another fake PornTube site.
The Whois for that domain is somewhat obscure!
The malicious file comes from another domain (eshymkent.cn), yet on the same IP
The malware file turns out to be a rogue app called Fast Antivirus 2009
Although this rogue is already known, I am surprised to see the low detection rate on VirusTotal:
Jerome Segura
Malware ID:Â d33e766d7fc6a984fe797816cc4af245.zip
|
Antonella Barba used to deliver malware
American Idol singer Antonella Barba’s name (and more!) Â is being used in malware campaigns.
I found at least two different websites registered using her name, that are pushing malware.
The page is pretty straightforward… with the alleged video being the center of attention:
If you click on the video, it will redirect you to a page that tries to load streamviewer.40009.exe
The file is hosted on yet another domain created June 11, so still very recent.
A Robtex analysis reveals some interesting connections:
You can see the domain names for scareware programs:
The malware file is not very well detected:
A clue to what it might be doing as a payload is revealed by this Fiddler analysis:
It looks like some click fraud using ad banners:
Every now and again, amongst redirections and pop ups you will see it trying to push rogueware:
Once again, this is a reminder of how celebrities are used in malware attacks. Their private lives interest people, which makes them a prime target for hackers.
Warning: all links are live and can infect your PC.
Jerome Segura
|
Rogue has weird behaviour
Take the latest rogue, Virus Shield 2009 and you will find some interesting stuff.
I love that tip of the day thing. It actually is a really good tip 
The rogue hijacks your hosts file with some interesting domains… one of them being another rogue. It redirects it to 74.125.45.100, which is Google’s IP address.
Is it a competitor? Someone they don’t like? Sounds like a story made for Dancho Danchev.
Jerome
|
Mac Malware is more popular (than before)
Do you own a Mac and think you are safe?
Think again. One of the latest scareware programs targets both the PC and the Mac.
If you are a Mac, you get redirected to the pagemac.php page:
It will download the following file: QuickTime.dmg
Note: those links are still live and dangerous.
Jerome
|
Rogue Trail
This story will take us from Poland, to Ukraine and Russia in the fascinating world of fake software.
WinPC Defender is a rogue anti virus program. For some reason, the program crashed on my machine… I guess not much time is spent on quality control.
It also hijacks your browser and displays fake warnings when you click links.
I thought this one was interesting, what about a sub affiliate? What exactly is it? If anyone knows, please tell me!
This page is registered to Andrzej from Poland. Â 
It then takes me to the “check out” page. Time to get my credit card information!
This page is registered to Nexton Limited from Kiev, Ukraine:
After a failed attempt (bad credit card), I got redirected to another payment page:
This time folks, meet Sergey from Russia:
Well, after this Eastern Europe trip I still had some questions left in my bag. I found an answer to the sub affiliate:
A sub-affiliate is someone who joins a two-tier affiliate program after being referred to it by another affiliate.
As well as earning commissions on your own sales, you earn commissions on sub-affiliate sales.
So if Betty persuades John to join, and John (the sub-affiliate) makes a sale, Betty earns a commission.
(Taken from associateprograms.com).
It sounds like a lucrative business to me.
This is just one example, of many rogue scams. Why are there so many online criminals in Eastern Europe? Well, different countries have different laws. How do you fight against someone in another jurisdiction? There is no international agreement for those kinds of matters. Â Read “Is it time for InternetPol?” from F-Secure for more on the topic.
Being a cyber criminal can be an easy way to make a lot of money with minimum efforts in a country where unemployment and socio-economic problems are high.
A lot of those fake programs are localised, so don’t think only North America is targeted. In fact their reach is pretty wide, so long as you have a computer and an Internet connection, you can be a victim. Those hackers leverage the lack of computer knowledge that most people have. It gets me though sometimes, how some simple things don’t get people to think twice.
Is there an end in sight? Not likely for a while, as the delivery mechanism (exploits, social-engineering) is pretty solid.
On the defensive side, blocking the malicious domains is always an arms race… and it is easy to change them dynamically (fast-flux) to prevent blocking.
If you are interested in reading about the rogue software business, I recommend checking out Dancho Danchev’s blog. He often posts very detailed reports.
Jerome
|
