The exponential growth of rogue antivirus distribution through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated.
Sites on this blog refers to rogue antispyware which display misleading scan alerts and mostly installed on computer's victim without user consent throught infected websites (LEGITIMATE infected websites).
The site now include IPs / botnet C&C / data logs exposed, links to LIVE urls exploits/vulnarabilities (flash - pdf) and domains with their relations, route, AS and malicious scripts found on compromised websites related to the same campaign.
If you arrived to this page through a search engine about a domain in this blog, some removal information can be found on the links below. Sites analysis will be created and updated as new sites will be found. Twice or more a day if needed.
If you arrived to this page and you are interested to find some information about these attacks, IPs domains and networkd used, here are some links used with details about this malware campaign
And here we have a list of fake scanner websites used in the attack which infect thousand of websites to distribute malware also known as WinWebSec (WinWebSecurity or SystemSecurity2009): Black Hat SEO and Rogue Antivirus
Other rogue av like AntivirusPlus through this list has been detected recently
Many more like under the name of FakeSpyGuard, VirusRemover, WinAntiVirus2008, SpywareRemover2009, and some variant of "Trojan Hiloti" through this list
Deobfuscated result is:
The ip is 184.108.40.206 (ZlKon)
Network used for hosting these malicious website are
Starline Web Services in Estonia Zlkon in Latvia netdirekt e.K. in Germany Hetzner Online AG in Germany Ural-NET in Russia Eurohost LLC in Ukraine GloboTech via Olexij Khrenov in Ukraine Joint Multimedia Cable Network in Ukraine NTColo Networks in Ukraine Plitochnik Lux LTD in Ukraine Coloquest in US Netelligent Hosting Services Inc in US and some other in China, Moldavia. IPs, AS and network used can be found on this blog.
------------- New sites used
on March 28: slot4scan.com, scan4fuse.com, list4scan.com, scan4home.com, gotimescan.com on March 29: mainscan6.com, scan4plus.info, scan4open.com
on March 30:
logscan6.com scan4way.com [redirection by gostepscan.com] 5scanav.com and scan5plus.com [redirection by gowithscan.com] new4scan.info,scan4live.info
best4scan.info, best6scan.info,pro4scan.info,scanline6.com, scan6log.com, scan6main.com, scan6now.com,zpmuwbtqqwkw.net Analysis here
Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.