Scareware templates: cheaper by the dozen
All the following alerts come from the same IP (109.232.225.21)
109.232.225.21/movie1.html
109.232.225.21/movie2.html
109.232.225.21/movie3.html
109.232.225.21/movie4.html
109.232.225.21/movie5.html
The pages have been designed so that search engines do not index them:
And also use heavy obfuscation
If you go to the main IP (on the root), you get the classic fake online scan:
The file that is downloaded from all these pages is a rogue scanner. It is only detected by 17% of the AV vendors featured on VirusTotal.
A couple of them detect it as:
Automation can produce some interesting results
Jerome Segura
|
Avira look alike
We found this site which strongly copies legitimate AV vendor Avira, in particular the red umbrella.
security-antivirus-site.com:
Legit Avira:
Other rather peculiar domains are hosted on that same IP.
Also, if you click on the download now button, you are immediately redirected to a payment page:
Please exercise caution if you don’t feel comfortable with a site like this. Scammers will use familiar templates and logos (sorry, will steal them) to lure victims into thinking this is a serious site. It’s very sneaky and lame but when there is money to be made, unscrupulous people will try everything.
Jerome Segura
|
A malware patch for Flash Player
Beware if a site warns you that you need a patch to play a video.
Many rogue security programs are using this trick to get you to download and run a piece of malware.
Some sites may even go as far as just enabling sound, but showing no picture. If you really, really need to watch the video and think the site is legit, then please download the file but do not run it right away!
Send it up to VirusTotal.com where the file will be checked against a large panel of anti-virus solutions. Why not just use your current AV to scan it locally? Well, most of those files are new and cleverly packed to avoid detection, therefore it is likely that your AV software will not detect it. For example the file illustrated in this example was only detected by 8 out of 41 AV engines, with some of industry’s big guns failing. Virus Total analysis here.
On a side note about this site hosted at white-xxxx{sanitized}.biz, several of the fake comments were in French… All the rest in English of course, but still I wonder why that French touch?
Security researchers that want to download this malware sample and more can get it at: http://mdl.paretologic.com
Jerome Segura
|
What to do when your PC is hijacked by a rogue
Some of the most prevalent and annoying malware today is rogue anti-spyware. These pests are hard to get rid of and a lot of people will usually give up and give in (pay for a license) to have their computer back to normal.
Here is an example of a rogue called “Control Center”, also known as PrivacyCenter. Upon starting up your PC, you are greeted with a screen full of icons and red warnings, on a black background.
You can try to close the program by clicking on the X, but to no avail.
At that point, a lot of people will get so frustrated that they will just do whatever the program is asking them to do. And that, usually involves money!
So, here are a few tricks to get back on your feet:
Press Ctrl+Alt+Del on your keyboard as illustrated below:
Depending on your version of Windows you may see one of the following screens:
Click the item that says Task Manager.
If you’re lucky (that is the malware hasn’t disabled it) you should see the Task Manager panel:
Click on File and then (New Task) Run and type explorer:
After clicking on OK, you should have your Desktop back.
Once there, you are good to run your favorite Anti-Virus program and get rid of the rogueware.
Here is a little video I made that shows the steps described above:
Jerome Segura
|
1 (900) I got malware!
Our good friend Adam Wilkinson from our Tech Support sent us this screenshot of the latest rogue tricking the user into dialing a premium-rate phone number.
At the bottom it stipulates $1.99 per minute, although I wouldn’t entirely trust it. Still, that kind of scam can cost you a lot of money.
The file alarmnotificator.exe is set to run every time Windows starts, and it will keep bugging you until you take some action.
Premium phone numbers are not necessarily a new thing when it comes to scams. For years malware known as dialers were used heavily. They were especially effective when you had a dial-up connection. But as far as rogue AVs, this seems like a new trick.
Hey, I wonder who you get at that number? I’m also too curious to try
Jerome Segura
|
New rogue: REAnti
There is a new rogue out there being pushed from opinghost.com with the download originating from wallfime.com.
The domain was registered very recently, as you can see below.
For some strange reason the registrant does not like ’snail mail’
What’s the weather like in the Bahamas? I guess, he/she is not interested in that. Lol
Here is what the program looks like, another Winisoft bogus app:
Oh, you can install their rogueware in French…
So, here is a little French to French aparté:
L’extermination de ma machine ? Eh bien, ils y vont quand meme fort !
Et que dire de “congé non protégés”? Moi je connaissais “congés non payés” mais quel est le rapport ?
Ah, ils m’ont fait passer un bon moment a rire, mais revenons aux choses sérieuses, ajoutons cette daube a notre BD.
By the way, this rogue has nothing to do with artist Chris Rea.
Jerome Segura
|
Rogue uses ‘update manager’
It’s been a while since I last wrote about rogues. Some basic computing principles should be repeated over and over again though.
The screen below is very familiar. A ’scan’ that says you are infected. Can you trust it? NO!!!!
But here’s a new thing, an ‘update manager’ a la Adobe
The program gets installed wether or not you click the button.
Your PC then becomes sluggish and your favourite browser no longer works:
‘make a full scan’ is that good English? If you’re gonna do it, do it right no?
Fortunately, the app itself will let you ‘browse’ the payment page (how nice of them)
Those interested in the file can get its ID below.
Jerome Segura
Malware ID: 22d4a32d169c40c265a99207cfb7bced.zip
|
Porn Fraud Tool
Our Honeypot caught this piece of malware that presents itself as some sort of poorly written app.
A few buttons here and there… My guess is that this app should be hidden, and that it would simulate user clicks, hence generating money for the scammers… Well, my PC froze on it, so I was able to capture it.
It strongly reminds me of the old Porn Trojan.
After a hard reboot, I noticed that my Desktop’s wallpaper had been changed:
It creates several files set to run at startup:
Very soon after, it was porn galore on my machine. Better stay away from this!
The file is somewhat detected on Virus Total:
Jerome Segura
Malware ID: d75eca38884f44926ff51f84b0033be6.zip
|
Malware repo gets updated
This is an update from my previous post. I noticed an update to one of the pages on the malicious site
oymoma-tube.freehostia.com
Check the screen below and see the July 3rd time stamp:
The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec:
Upon execution, fake alert messages such as this one:
Eventually the scareware will run:
This sample is poorly detected, especially for being a variant of an already known rogue:
Paretologic detects this file as:
Jerome Segura
Malware ID: dcfe992aa25bb1849c1e9f8c2c5d3c5b.zip
|
Fake Celebrities site drops malware
Thise site popped up on my radar… The fake Flash Player is malware, of course.
I was very surprised to see that only 3 AV vendors detect this threat!
Jerome Segura
Malware ID: 260f8513934016b9eafb6e9edf650c01.zip
|
















































