News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
July 25, 2014, 15:02:20
Pages: 1 2 [3] 4 5 ... 7   Go Down
  Print  
Topic: Rogue anti-virus, anti-spyware, scareware, etc...  (Read 45251 times)
0 Members and 1 Guest are viewing this topic.
« Reply #30 on: September 14, 2009, 03:59:32 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

NY Times pushes Fake AV malvertisement
- http://countermeasures.trendmicro.eu/new-york-times-pushes-fake-av-malvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".

* http://blog.trendmicro.com/fakeav-for-september-11/

** http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #31 on: September 15, 2009, 04:24:10 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Fake A/V hacks for another celebrity death...
- http://www.sophos.com/blogs/gc/g/2009/09/15/patrick-swayzes-death-exploited-scareware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #32 on: September 21, 2009, 02:21:45 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Fake Twitter accounts for Fake AV
- http://www.f-secure.com/weblog/archives/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."

(Screenshots available at the URL above.)

- http://www.sophos.com/blogs/gc/g/2009/09/21/fake-antivirus-attack-twitter/
September 21, 2009

 Evil or Very Mad Evil or Very Mad
« Last Edit: September 22, 2009, 04:35:59 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #33 on: September 24, 2009, 06:09:18 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Fake Malwarebytes - Bogus Sponsored Link Leads to FAKEAV
- http://blog.trendmicro.com/bogus-sponsored-link-leads-to-fakeav/
Sep. 24, 2009 - "Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware - bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ). Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist... In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website. Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #34 on: September 29, 2009, 11:46:14 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Tropical Storm leads to FAKEAV
- http://blog.trendmicro.com/tropical-storm-leads-to-fakeav/
Sep. 29, 2008 - "Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people... several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results. Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location... Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #35 on: September 30, 2009, 03:22:10 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Rogue downloader uses Firefox warning screen lookalike
- http://sunbeltblog.blogspot.com/2009/09/rogue-downloader-uses-firefox-warning.html
September 29, 2009 - "... The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen... Looks like the Firefox warning page ( in Internet Explorer ), but with a difference... What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #36 on: October 02, 2009, 05:10:55 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Rogue AV growth 2009-H1 585 percent
- http://www.theregister.co.uk/2009/10/02/crimeware_plague/
2 October 2009 - "The prevalence of scareware packages has reached epidemic proportions, with 485,000 different samples detected in the first half of 2009 alone. The figure is more than five times the combined figure for the whole of 2008, according to statistics from the Anti-Phishing Working Group (APWG). The huge figures are explained by the hacker practice of changing the checksum of every file. The tactic is designed to foil less sophisticated anti-malware defences... More than half (54 per cent) or 11.9 million of the computers scanned by Panda Security, which contributed to APWG's report, were infected with some form of malware. Banking trojan infections detected by the group almost tripled (up 186 per cent) between Q4 2008 and Q2 2009. APWG's report can be found here*."
* http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #37 on: October 20, 2009, 12:44:43 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Scareware SPAM - Conficker.B infection alerts
* http://ddanchev.blogspot.com/2009/10/scareware-serving-confickerb-infection.html
October 20, 2009 - "A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware. This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware..."

(Screenshots and extensive list of domains involved available at the URL above*.)

- http://atlas.arbor.net/
"... We are also seeing email spam attacks to spread malware from the Bredolab botnet, from the ZBot botnet, and a Rogue AV downloader purporting to be an anti-conficker system update."

 Evil or Very Mad
« Last Edit: October 22, 2009, 10:14:17 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #38 on: December 03, 2009, 22:11:42 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Another resource - Rogue lookups
- http://www.lavasoft.com/mylavasoft/rogues/help
"Rogue security software is an application that appears to be beneficial from a security perspective but provides little or no security, generates erroneous alerts, or attempts to lure users into participating in fraudulent transactions. Some products defined as "rogue" simply fail to provide the reliable protection that a consumer paid for. Others are far more sinister, masquerading as legitimate security software, and using deceptive tactics to con users into buying the product... instead of purchasing a program to protect your PC, you may actually be playing into the hands of cyber scammers, falling for bogus software specifically designed to mislead you..."

(Indexed list of known rogues from "Latest" to A-Z available at the URL above.)

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #39 on: January 08, 2010, 14:57:29 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Rogue AV - Data Doctor 2010 encrypted files...
- http://sunbeltblog.blogspot.com/2010/01/data-doctor-2010-encrypted-files-we.html
January 06, 2010 - "Our analyst Dimiter Andonov has developed a tool to decrypt files encrypted by Data Doctor 2010 that at least one blog reader found very useful:
http://www.sunbeltsecurity.com/DownLoads.aspx
Update 01/07:
We've just posted a page with detailed directions for using the Data Doctor 2010 file decrypter:
http://www.sunbeltsecurity.com/DownLoads.aspx ..."

- http://www.f-secure.com/weblog/archives/00001850.html
January 8, 2010

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #40 on: January 14, 2010, 14:48:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Rogue AV exploits Haiti earthquake
- http://isc.sans.org/diary.html?storyid=7987
Last Updated: 2010-01-14 18:45:02 UTC - "Just when you think they couldn't possibly go any lower ... The bad guys behind the Rogue AV scam (see my old diary at http://isc.sans.org/diary.html?storyid=7144 about Rogue AV) are heavily using SEO techniques to make links to their sites appear high on search engines. For example, when using Google to search for "haiti earthquake donation" top 6 hits (!) lead to compromised web sites which in turn check the referrer (they verify if you are coming from a search engine) and, if that is true, redirect you to another web site... At the moment they are redirecting to scan-now24 .com which appears to be taken down. As posted on numerous places yesterday – if you plan on donating be very careful about sites you visit."

- http://www.us-cert.gov/current/#haitian_earthquake_disaster_phishing_attacks
January 14, 2010

- http://www.fbi.gov/pressrel/pressrel10/earthquake011310.htm
January 13, 2010

- http://sunbeltblog.blogspot.com/2010/01/hacked-sites-used-to-redirect-to.html
January 14, 2010 - "We continue to find hacked sites popping up on web searches for Haiti relief donations-related strings. Among other things, we’ve found a rogue security product being pushed. VIPRE detected that one as Rogues.Win32.FakeVimes... sites all -redirect- to scan-now24 .com (registered Dec. 28), which we recommend blocking..."

 Evil or Very Mad Evil or Very Mad Evil or Very Mad
« Last Edit: January 15, 2010, 20:38:17 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #41 on: February 16, 2010, 13:25:51 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Scammers offer "Live Support"
- http://www.informationweek.com/shared/printableArticle.jhtm?articleID=222900276
Feb. 13, 2010 - "... The Live PC Care "virus scan" screen now includes a yellow online support button that affords those reluctant to part with their money the opportunity to banter with fraud support. "If a potential victim clicks on the online support button they are brought to a live support chat session," said Symantec security researcher Peter Coogan in a blog post*. "The authors of Live PC Care have taken advantage of a legitimate freeware live chat system called LiveZilla. This system allows Live PC Care victims to chat online with so-called 'support agents.'" Based on the interactions between Symantec researchers and the live support people, Coogan says that there really are people answering questions, and not automated scripts. Their goal, he says, is to allay suspicions and encourage the belief that the fake malware detected needs to be repaired. Coogan says that the involvement of live support people shows just how big the business of fake antivirus scams has become. Symantec says that between July 1, 2008 and June 30, 2009, 250 different fake antivirus programs made 43 million installation attempts. The company says that the cost of being victimized can go beyond the $30 to $100 price for useless software to include additional fraud arising from credit card theft."
* http://www.symantec.com/connect/blogs/fake-av-talking-enemy

Trojan.FakeAV
- http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=2
Updated: October 10, 2007 5:08:11 PM
Type: Trojan
Infection Length: 7,680 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

 Shocked Evil or Very Mad Questioning or Suspicious
« Last Edit: February 17, 2010, 04:17:17 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #42 on: February 26, 2010, 10:53:54 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

VirusTotal - fake rogue site
- http://sunbeltblog.blogspot.com/2010/02/not-real-virustotalcom.html
February 26, 2010 - "VirusTotal.com [ http://en.wikipedia.org/wiki/VirusTotal.com ] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not... somebody decided to cash in  on the good name of the site with the following domain:
virus-total(dot)in
...we have some Rogue Antivirus advertising in the house, to the tune of “Your computer is infected by viruses” complete with the now familiar fake image of your drives and folders... Should you download and run the executable file offered up by the site, you’ll end up with the rogue Security Tool on your system... the REAL domain for VirusTotal is http://www.virustotal.com/ . Don’t fall for this scam!"

(Screenshots available at the Sunbeltblog URL above.)

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #43 on: February 26, 2010, 15:59:44 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

MS warns: fake Security Essentials
- http://www.theregister.co.uk/2010/02/26/microsoft_security_essentials_rogue/
26 February 2010 - "Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials. Security essentials 2010 is a piece of software Microsoft said installs a fake virus scanner on your machine and monitors and blocks processes it doesn't like. The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here*... Adding insult to injury, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded is just a trial edition. Microsoft's Security Essentials is available without charge to PC users running a genuine copy of Windows..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Fakeinit

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #44 on: April 16, 2010, 02:44:30 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8167



FYI...

Fake AV on 11,000 domains...
- http://googleonlinesecurity.blogspot.com/2010/04/rise-of-fake-anti-virus.html
April 14, 2010 - "... One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action... We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months... Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period. Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly..."

- http://www.newsfactor.com/story.xhtml?story_id=13000CYP5QJY
April 28, 2010 - "... fake antivirus scans that plant malware are on the rise. Over 13 months, more than 11,000 domains were involved in fake scans, Google says. Advertising is being used to trick users into fake scans, and Google promised to blacklist any company linked to malware. Rapid adaptation is also making it more difficult to detect malware..."

 Evil or Very Mad Evil or Very Mad
« Last Edit: April 28, 2010, 18:52:48 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 2 [3] 4 5 ... 7   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 2.189 seconds with 19 queries.