Friday, April 3, 2009

Black Hat SEO and Rogue Antivirus p.6

The silent threat: Black Hat SEO and Rogue Antivirus

Analyzing the tactic

READ THIS page if you need more information

Yet another WinWebSecurity variant this one through crack/serial websites and ad network

Fake ad:
BE PROTECTED! - FREE online system scan for viruses, trojans and malware.
Check it out - maybe someone have access to your PC right now! Protect yourself.


Which result in a complete set of redirection

Redirection 1
Redirection 2
Redirection 3
Redirection 4

then

initialsecurityscan.com

Retreived from google cache here

VirusTotal
Prevx
Anubis

File install.exe received on 04.03.2009 12:28:53 (CET)
Result: 18/39 (46.16%)

File info:

File size: 108584 bytes
MD5: de926b63ab0976244d752170dac7ec00

Hosted by Netelligent Hosting Services Inc on the IP 209.44.126.14

Screenshot on Friday April 3





Using NS1.FUCKMONEYCASH.COM and NS2.FUCKMONEYCASH.COM as DNS Servers
No whois info - PrivacyProtect.org
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Dates: Created 01-apr-2009
Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.