News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
September 01, 2014, 15:23:56
Pages: [1] 2 3 ... 7   Go Down
  Print  
Topic: Rogue anti-virus, anti-spyware, scareware, etc...  (Read 46828 times)
0 Members and 1 Guest are viewing this topic.
« on: August 15, 2008, 01:14:57 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Fake AV Trojans Ramping Up
- http://blog.trendmicro.com/fake-antivirus-trojans-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."

(Screenshots available at the URL above.)

 Evil or Very Mad Evil or Very Mad
« Last Edit: August 15, 2008, 01:16:55 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #1 on: August 23, 2008, 02:49:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page8.html
22 August 2008 - "...One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well. This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious..."
(Many screenshots shown in the article at the above URL - well worth your time.)

You may also want to visit TeMerc's site on this subject:
- http://www.temerc.com/forums/viewtopic.php?f=26&t=5053

...and this tool: RogueRemover FREE (i.e.: XP Antivirus 2008, etc. - 444 different suspicious applications)
> http://www.malwarebytes.org/rogueremover.php

 Exclamation Exclamation Exclamation
« Last Edit: August 23, 2008, 02:56:18 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #2 on: August 26, 2008, 13:32:43 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Phish that bites back
- http://www.secureworks.com/research/blog/index.php/2008/08/25/the-phish-that-bites-back/
August 25th, 2008 - "We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her... While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website. However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox. Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs. For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right? Oops. the rogue antivirus program has removed that functionality for you... you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not... Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now. And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back."

(Screenshots available at the URL above.)

 Evil or Very Mad Questioning or Suspicious
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #3 on: August 28, 2008, 20:05:58 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

XP Antivirus 2008 now with sploits, Google Adwords affected
- http://sunbeltblog.blogspot.com/2008/08/xp-antivirus-2008-now-with-sploits.html
August 27, 2008 - "...problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it’s taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords... There are a variety of exploits being used, including setslice and an AOL IM exploit. Unusually, an exploit framework is not being used. Fully patched systems will not be affected by these exploits. The exploit attempts to install the following malicious file: huytegygle com/bin/ file.exe..."

(Screenshots available at the URL above.)

 Exclamation Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #4 on: August 29, 2008, 03:25:27 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Spammed SWF URLs Abuse ImageShack, Lead to Rogue AV
- http://blog.trendmicro.com/spammed-swf-urls-abuse-imageshack-lead-to-rogue-av/
Aug. 28, 2008 - "We’re seeing a lot of spam right now using the now annoyingly familiar Free Update Windows XP, Vista spam template. This time though, instead of linking to an .EXE file, it is now pointing to an .SWF file. The SWF file linked via the large-font text Free Update Windows XP,Vista contains Flash ActionScript... After this a EULA window appears, and then the system proceeds to install a rogue AV software from avxp-2008.net. Note that it does this automatically from the moment the install.exe is run... The technique used in the spam has two things going for it:
1. the use of SWF instead of EXE and
2. the use of an ImageShack-hosted file, both of which may suggest to normal users that the file is possibly harmless.
So it seems the siege of rogue AV is not only not dying down, its proponents are becoming more creative in their “advertising” schemes. We detect this rogue AV as TROJ_FAKEAV.IG."

(Screenshots available at the URL above.)

 Exclamation Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #5 on: September 16, 2008, 03:38:31 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Fake AV 2009 and search engine results
- http://isc.sans.org/diary.html?storyid=5042
Last Updated: 2008-09-16 01:15:04 UTC - "Web servers have been compromised and their .htaccess files have been modified. Here you can see an example of a modified .htacces
http://forums.devnetwork.net/viewtopic.php?f=6&t=85984 ...
Another site that was compromised and searches redirected is discussed here:
http://groups.google.com/group/Google_Webmaster_Help-Indexing/msg/0cd2cafd907a0380 ...
Their .htaccess is being modified to rewrite requests. Specifically they are redirecting to sites that "advertise" antivirus2008 or antivirus2009 when several search engines try to spider the original site. They redirect most of the search engines there (google, yahoo, altavista...). I believe that is how they are getting their fake av into the search engines with a HIGH hit rate. The site I was seeing in use was int3rn3t-d3f3ns3s .com Which is an "ad" for anti-virus2009... used to convince victims to load this fake-av software...
int3rn3t-d3f3ns3s .com is at 84.16.252.73 I recommend blocking that at your enterprise gateway. Prt3ctionactiv3scan .com which is mentioned in the sunbelt blog is at 78.159.118.168 blocking that at your gateway is also recommended.
There is a blog here about some of these fake av sites.
http://ddanchev.blogspot.com/2008/08/diverse-portfolio-of-fake-security.html
Microsoft mvp Harry Waldron blogged about it here.
http://msmvps.com/blogs/harrywaldron/archive/2008/08/15/antivirus-2009-avoid-these-fake-antivirus-trojan-attacks.aspx ...
Sunbelt did a good write up of it here and has been tracking the sites involved.
http://sunbeltblog.blogspot.com/2008/09/scam-sites-update-iii.html
If you need antivirus software icsa labs has a useful collection of valid links here:
https://www.icsalabs.com/icsa/topic.php?tid=cfe0$3d83e732-011a28d6$5ac9-0f77e15b "

 Shocked Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #6 on: October 01, 2008, 03:37:29 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

More "scareware"...
- http://www.f-secure.com/weblog/archives/00001508.html
September 30, 2008 - "WinDefender 2008 is a rogue application. Rogues are also sometimes known as scareware... Looks sort of familiar, doesn't it? Do you recognize the shape of the box? The website creators appear to have "borrowed" a few things. Let's check out the legal disclaimer... From where else we can find really legal stuff? Spyware Rogue: Antivirus XP 2008... Oh, Antivirus XP 2008. That particular rogue is a huge pain in the… neck. The guys that produce this stuff are crooks and swindlers... Here's a tip: If they claim to be REALiable — they're probably FAKE..."
(Screenshots available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001509.html
October 1, 2008 - More rogue apps/screenshots...

 Evil or Very Mad
« Last Edit: October 01, 2008, 13:20:58 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #7 on: October 04, 2008, 16:34:50 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://blog.trendmicro.com/rogue-av-tactics-continue-to-threaten/
Oct. 2, 2008 - "October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals... Fake BSOD (actually a screensaver) now sports a specific mention of the problem — an unregistered version of a certain AV product... even the fake reboot screen (also a screensaver) has text... malware criminals continue a “take no prisoners” approach to vandalizing PCs in their bid to convince victims to purchase bogus security software... Cybercriminals literally calling attention to themselves by using all visual means available to instill a sense of discomfort in users that may just be enough to get these users to fall for the act — an unfortunately common scare tactic... This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #8 on: October 10, 2008, 03:35:39 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

New rogue: Antivirus 2010
- http://sunbeltblog.blogspot.com/2008/10/new-rogue-antivirus-2010.html
October 09, 2008 - "Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009... The rogue application uses the same old tricks to lure users into purchasing their worthless application... Fake Windows Security Center - Fake BSOD..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #9 on: November 10, 2008, 07:52:55 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

More rogue AV tricks...
- http://www.f-secure.com/weblog/archives/00001535.html
November 10, 2008 - "We came across a rogue today called Antivirus Professional 2008 that uses GeoIP Lookup as part of its scare tactics. This site uses Flash and script to create the effect of an online scan, that then attempts to push an installer at the visitor. The NoScript extension* for Mozilla Firefox is an excellent way to mitigate against this kind of garbage... The "antivirus online scanner" site now uses the visitor's IP address to customize the so-called threat..."

(Screenshots available at the URL above.)

* https://addons.mozilla.org/en-US/firefox/addon/722

 Shocked Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #10 on: November 21, 2008, 16:03:56 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.f-secure.com/weblog/archives/00001545.html
November 21, 2008 - "Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck. As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other...
This is how the search-and-destroy .com site appears... The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name. This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application. We downloaded and tested the Search-and-Destroy Antispyware application. First it prompted a warning that there were zero risks. Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version. Within the "malicious threats" that were discovered, were invalid shortcuts. True, the links were invalid, but that's hardly a threat. So we uninstalled the application, and it left behind a registry key... Within the "malicious threats" that were discovered, were invalid shortcuts... Typical. The scan warned us about invalid shorts, and then leaves behind an invalid registry key... Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #11 on: November 22, 2008, 09:07:40 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://preview.tinyurl.com/55b2hj
November 19, 2008 - MS Malware Protection Center - "Win32/FakeSecSen* was added to MSRT November release ...  We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below...
Distinct Machines Cleaned:
United States - 548,218
United Kingdom - 74,343
France - 47,581
Germany - 43,347
Netherlands - 28,724
Spain - 23,027
Italy - 18,453
Australia - 16,287
Canada - 16,180
Sweden - 15,412
Other - 162,489 ..."

* http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32%2fFakeSecSen
Summary: Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”.

 Evil or Very Mad
« Last Edit: November 22, 2008, 09:09:31 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #12 on: December 02, 2008, 09:31:39 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.sophos.com/security/blog/2008/12/2069.html
2 December 2008 - "Today we saw a hockey statistics website that had been compromised - it was redirecting via several hops to a fake anti-virus site detected as Mal/FakeAvJs-A... If you do go for their free scan, surprise surprise it finds malware on your computer. In fact there’s a config file on the site, telling you exactly what malware it’s going to find, and where... This wasn’t the only site we saw compromised like this today, the others pointing to the exact same fake anti-virus website after a number of hops, as if somebody had recently flicked a switch and set a number of websites redirecting in this manner..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #13 on: December 03, 2008, 07:52:57 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Nano Antivirus now making the rounds
- http://sunbeltblog.blogspot.com/2008/12/nano-antivirus-now-making-rounds.html
December 02, 2008 - "A fresh rogue... variant of Pro Antispyware 2009*."

* http://sunbeltblog.blogspot.com/2008/10/new-rogue-pro-antispyware-2009.html
October 22, 2008

(Screenshots available at both URLs above.)

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #14 on: December 24, 2008, 13:07:20 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://preview.tinyurl.com/ay4674
December 24, 2008 (Computerworld) - "In the second month of a campaign against fake security software, Microsoft has booted the rogue application "Antivirus 2009" from almost 400,000 PCs, the company recently claimed. December's version of the Malicious Software Removal Tool (MSRT), a free utility that Microsoft pushes to Windows users as part of Patch Tuesday , targeted one of the most popular phony security app, Antivirus 2009. According to Microsoft*, the MSRT erased the fake from over 394,000 PCs in the first nine days after it released this month's edition..."

MSRT Review - Win32/FakeXPA and Win32/Yektel Rogues
* http://preview.tinyurl.com/a4pku7
(blogs.technet.com) - December 17, 2008

> http://preview.tinyurl.com/6bb67
MSRT v2.5 - 12/10/2008 - 7.4MB

 Wink
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: [1] 2 3 ... 7   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.412 seconds with 19 queries.