Friday, March 20, 2009

stabilityinetscan: Zlkon Malware Drop Fake AV

stabilityinetscan.com - Rogueware browser hijacker - Zlkon Malware Drop

Another site which promote "Internet Antivirus Pro" a rogue application also
called SystemSecurity or WinWebSecurity.

The FAKE scanner display fake alerts stating that you are infected with
Admess trojan (tcpservice.exe), zserv.Transponder.Trojan (ZServ.dll)
and some other malware.

Site screenshot:

Template 1: stabilityinetscan.com/

stabilityinetscan.com Screenshot
stabilityinetscan.com Screenshot

stabilityinetscan.com Pop Up Message



Template 2: stabilityinetscan.com/scan.php?affid=01990

Fake messages:

Windows Security Center
Virus (I-Worm.Trojan.b) was found on your computer!
Click 'OK' to install System Security Antivirus.

Windows Security Center recommends you to install System Security Antivirus.

Fake Windows Security Center:

Security Essentials: To help protect your computer, make sure the four security
essentials below are marked On or OK

- Firewall is set to "On"
- Automatic updating is set to "Not automatic"
- Malware protection and "Other Security Settings" are set to "Check Settings"

stabilityinetscan.com - Windows Security Center: Security essentials

stabilityinetscan.com - Windows Security Center: Security essentials


Analysis:


 Site URLs:  
    
 HTMLstabilityinetscan.com/scan.php?affid=01990 
 SWF/Flashstabilityinetscan.com/load.swf?&p=0&t=_self&u=download.php?affid=x
    
 Anubis:Report 
    
    
 Site URLs:stabilityinetscan.com/download.php 
  stabilityinetscan.com/download.php?affid=01990 
    
 Response Headers 
    
 (Status-Line):HTTP/1.1 200 OK
Date:Fri, 20 Mar 2009 xx:xx:xx GMT
Server:Apache/2
X-Powered-By:PHP/5.2.6
Cache-Control:public, must-revalidate
Pragma:hack
Content-Length:57894
Content-Disposition:attachment; filename="install.exe"
Content-Transfer-Encoding:binary
Keep-Alive:timeout=1, max=100
Connection:Keep-Alive
Content-Type:application/octet-stream
 
    
    
 File info:install.exe 
    
 File size57894 bytes 
 MD5631cb675d5094b14bbf13ac5218506f2 
    
    
 VirusTotal:Report 
    
 First received03.20.2009 08:33:18 (CET) 
 Results26/39 (66.67%) 
    
 PE Info( base data )
entrypointaddress.: 0x28230
timedatestamp.....: 0x49bf47e1 (Tue Mar 17 06:49:05 2009)
machinetype.......: 0x14c (I386)
 
    
 PrevxResult 
    
 Alias:FraudTool.Win32.SystemSecurity 
  Win32/Winwebsec 
  SystemSecurity 
  Cryp_FakeAV-11 

Result when running:
 stabilityinetscan.com - InternetAntivirusPro

HTTP Request: 94.247.3.3 [hs.3-3.zlkon.lv]

GET: stabilityinetscan.com/install/ws.zip


 File info:SystemSecurity.exe 
    
 File size2206720 bytes 
 MD54b65f1e719f85ee082d5108fbdf2ea00 
    
    
 VirusTotal:First Report 
 VirusTotal:Reanalysed 
    
 First received03.18.2009 02:31:35 (CET) 
 ResultsResult: 16/39 (41.03%) 
    
 Second time03.20.2009 08:51:04 (CET) 
 Results22/39 (56.42%) 
 New infoPrevx 
    
 Alias:FraudTool.Win32.SystemSecurity 
  Win32/Winwebsec 
  Mal/FakeAV 


Application screenshot:
 SystemSecurity - WinWebSecurity: Application Screenshot
  
Domain sharing IP with stabilityinetscan.com
 
We can see more domain previously served for malware drop with robtex graph

94.247.3.3 Robtex graph for stabilityinetscan.com - Zlkon Malware Drop