mostpopularscan.com - Browser Hijacker Fake Scanner

mostpopularscan.com - Rogueware browser hijacker Another site which promote "Internet Antivirus Pro" a rogue application also called SystemSecurity or WinWebSecurity Site screenshot: let's take a look at the file "install.exe"
Analysis:
	File info: install.exe             File size 57892 bytes     MD5 77d7d24ed2427f32ef74c9313c7c3ed4                     VirusTotal: Report             First received 03.17.2009 13:57:04 (CET)     Results 24/39 (61.54%)             Alias: FraudTool.Win32.SystemSecurity       Win32/Winwebsec       Mal/FakeAV
Result when running:
	HTTP Request: 209.44.126.14 GET: mostpopularscan. com/ [install/ws.zip]   File info: SystemSecurity.exe             File size 2206720 bytes     MD5 4b65f1e719f85ee082d5108fbdf2ea00                     VirusTotal: Report             First received 03.17.2009 22:02:38 (CET)     Results 15/39 (38.46%)             Alias: FraudTool.Win32.SystemSecurity       Win32/Winwebsec       Mal/FakeAV
Application screenshot:
Domain sharing IP with mostpopularscan.com
	209.44.126.14 ThreatExpert Wepawet JS Analysis       bestfiresfull.com   Report on March 15 fuckmoneycash.com Report Report on March 17 mostpopularscan.com Report Report on March 17 scanvistanow.net   Report on March 13 vistastabilitynow.com Report Report on March 17 worldnowhits.com   Report on March 17       Name Server: NS1.FUCKMONEYCASH.COM Name Server: NS2.FUCKMONEYCASH.COM Netblock owner: OrgName:Netelligent Hosting Services Inc. NetRange: 209.44.96.0 - 209.44.127.255 CIDR: 209.44.96.0/19 And finally on this network we have 2 bad IP's which host the same malware 209.44.126.16 onlinestabilitysite.com systemsecurityonline.com 209.44.126.22 ThreatExpert     networkstabilityexamine.com   onlinestabilityguide.com Report onlinestabilitysite.com   onlinestabilityworld.com Report stabilityaudit.com   wwwsafetyexamine.com       And name servers which has served for malicious traffic. A list is here.     ns1.onlinestabilityguide.com   ns1.onlinestabilitysite.com   ns1.onlinestabilityworld.com   ns1.stabilityaudit.com   ns1.stabilityscanavailable.com
	Look's very similar to these domain. Same template, same malware and some redirect to site like mostpopularscan.com, bestfiresfull.com, easywinscanner17.com etc... PandaLabs - Rash of Rogue Security Malware This is just a sample: goscanfull.com gohardscan.com goscanfull.com goscanhard.com goscanopen.com gomodescan.com goscanmind.com goscanport.com goscanquick.com goscanslot.com goscanway.com goscanwith.com goquickscan.com goscanany.com goscanmode.com gotscan.com Redirection change every day with new site purchased. Most of them are on the IP: 78.159.101.27 - netdirekt e.K Also host on the same network a ton of similar websites. 78.159.99.52 x 6 78.159.100.22 x 2 line4scan.com log4scan.com 78.159.101.11 x 3 megascan4.com safe4scan.com scanmain4.com 78.159.101.22 x 6 scan4tool.com tool4scan.com 78.159.101.27 x 40 scanmega4.com truescan4.com Here are some of them - hosted by Zlkon, Starlines Web Service and a lot by NT-COLO Netcraft for netdirekt e.K Netcraft for Zlkon Netcraft for Starline Web Service - Site for redirections - Also host: onlinedetect.com Netcraft for NT-COLO