59 replies to this topic

[AplusWebMaster]

FYI...

Scareware fakes HD failures...
- http://www.symantec....defragger-sales
16 May 2011 - "... Hard disk failures are a fact of life... Trojan.FakeAV writers are aware of this, and the end of last year saw a move by some into the creation of fake hard disk scanners and defragmentation tools... Trojan.Fakefrag. What sets this apart from standard fake disk cleanup utilities is that the Trojan makes changes on the computer and displays messages that make it appear as though the hard disk is failing. Then it drops a member of the UltraDefragger family called Windows Recovery, which offers to repair these disk errors for a mere $79.50!...
• It fakes hardware failure messages...
• It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
• It stops you from changing your background image.
• It disables the Task Manager.
• It sets both the “HideIcons” and “Superhidden” registry entries to give the impression that more icons have been deleted.
... the failure messages look just like something Windows would display..."
(Screenshots, video, and more detail available at the Symantec URL above.)
___

New scareware - charted
- http://blogs.mcafee....OG_110513_2.jpg
May 13, 2011

Edited by AplusWebMaster, 18 May 2011 - 08:43 AM.

[AplusWebMaster]

FYI...

Fake AV bingo - 165 domains of bad
- http://isc.sans.org/...l?storyid=10894
Last Updated: 2011-05-19 00:06:54 UTC ...(Version: 2) - "Can you guess which domains the crooks behind the Fake Anti-Virus Scam are going to use next? Well, neither can we. But for several weeks now, they are hosting a lot of their bad stuff out of 91.213.29.66, geo-located in... Russia... all in all 165 domains of badness.
Several of these domains were "found" by our readers via the poisoned Google image searches* that we reported earlier this month, and also via malicious advertisements embedded in perfectly benign web pages...
Fake AV has made its appearance on Macs**, where naive automatic download-and-run default settings in browsers still are common, and where "MacDefender" and its expected numerous successors and variants are likely to become as "successful" for the bad guys as their Windows version has been for years..."
* http://isc.sans.edu/...l?storyid=10822
2011-05-04
** http://isc.sans.edu/...l?storyid=10813
2011-05-02

[AplusWebMaster]

FYI...

Mac Fake AV...
- http://news.cnet.com...064394-245.html
May 19, 2011 - "Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need. This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market... Mac Defender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware..."

- http://blog.intego.c...fake-antivirus/

- http://download.cnet...0064445-12.html
May 19, 2011 - "... On any platform, rogue antivirus programs are resistant to standard program removal procedures. This means you can't just drag one to the trash..."
(More detail on removal procedures at the above URL.)
___

- http://www.h-online....te-1246693.html
20 May 2011 - "... Users of the Safari web browser should disable automatic file opening in Safari (Preferences -> General and uncheck "Open 'safe' files after downloading"). More importantly though, users should, when prompted for their user name and password, be asking themselves "what is requesting this information" and remembering that they are giving it privileges to modify their system..."

Edited by AplusWebMaster, 20 May 2011 - 11:22 AM.

[AplusWebMaster]

FYI...

Apple advisory on "MacDefender" malware
- http://isc.sans.edu/...l?storyid=10918
Last Updated: 2011-05-25 00:05:17 UTC

- http://support.apple.com/kb/HT4650
May 24, 2011 - "... Products Affected:
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5..."

Safari "Force Quit"
- http://support.apple.com/kb/ht3411

[AplusWebMaster]

FYI...

MacDefender variant changes tactics...
- http://isc.sans.edu/...l?storyid=10927
Last Updated: 2011-05-26 08:11:01 UTC - "MacDefender... has upped the ante with a new version according to Intego* that does not need to ask the user's password any longer... it's not using an exploit to avoid asking the right to write in the /Applications directory, it simply installs the software and activates it for the current use only. Since most macs are using only a single user that changes little for the malware. But it removes the pop-up for your password. Anybody in the admin group can write to the /Applications directory..."
* http://www.intego.co...nt-macguard.asp
May 25, 2011 - "... effective SEO poisoning has led many Mac users to this type of malware, and no administrator password is required to install this new variant..."

[AplusWebMaster]

FYI...

Fake Firefox SCAM leads to scareware...
- http://nakedsecurity...d-to-scareware/
May 30, 2011 - "... latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser... Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window... We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices. If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program..."
(Screenshots available at the Sophos URL above.)

[AplusWebMaster]

FYI...

FakeRean - turns hard-core ...
- http://sunbeltblog.b...-hard-core.html
June 06, 2011 - "FakeRean was initially discovered by Microsoft* a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system's registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run... page is found on SourceForge.net, a prominent repository of open-source software, as a profile page... get a free but malicious software to download and run on your systems once you click -any- of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen... This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac... All URLs are -redirect- via seoholding(dot)com... Be extra careful, if not steer clear all together, when visiting online profiles hosted on -any- site that -looks- suspicious."
(Screenshots available at the sunbeltblog URL above.)
* http://www.microsoft.....in32/FakeRean

[AplusWebMaster]

FYI...

Malware campaign injects Java exploit code
- http://community.web...ploit-code.aspx
20 Jun 2011 - "... detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages... attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera... The payload in this case is the nowadays ubiquitous Rogue Antivirus. In case you haven't already done so, don't forget to update your Java version* as soon as possible."
(Screenshots available at the Websense URL above.)
* http://www.java.com/...nload/index.jsp

[AplusWebMaster]

FYI...

DoJ indictments - scareware distribution...
- http://www.fbi.gov/n...uting-scareware
June 22, 2011 - "... The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years. The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans. Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129. An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses. Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership. A -second- international crime ring disrupted by Operation Trident Tribunal relied on online advertising to spread its scareware products, a tactic known as “malvertising.” An indictment unsealed today in U.S. District Court in Minneapolis charges the two operators of this scareware scheme with two counts of wire fraud, one count of conspiracy to commit wire fraud and computer fraud... avoid purchasing computer security products that use unsolicited “free computer scans” to sell their products. It is also important for users to protect their computers by maintaining an updated operating system and using legitimate, up-to-date antivirus software, which can detect and remove fraudulent scareware products..."

- http://www.theregist...reware_arrests/
23 June 2011 - "... The Feds worked with police in Cyprus, Germany, Latvia, Ukraine, France, Romania, the Mounted Police in Canada and London's Met Police."

- http://www.theinquir...atlantic-botnet
23 June 2011

[AplusWebMaster]

FYI...

Google finds a million scareware infections...
- http://krebsonsecuri...to-be-infected/
July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
* http://krebsonsecuri.../07/googhij.png
___

- http://googleonlines...eople-from.html
Updated July 20, 2011

Edited by AplusWebMaster, 21 July 2011 - 04:06 AM.

[AplusWebMaster]

FYI...

Fake video codecs - with scareware
- http://threatpost.co...careware-072511
July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
* http://sunbeltblog.b...rs-up-home.html
"... a sample of some of the files found on the infected machine:
c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls ..."

[AplusWebMaster]

FYI...

Rogue activity spikes ...
- https://blogs.techne...Redirected=true
29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Rogue rash ...
- https://blogs.techne...Redirected=true
1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Mass injection wave of WordPress sites - Rogue AV ...
- http://community.web...ress-sites.aspx
5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
* http://community.web..._5F00_GeoIP.png

> http://community.web...182.FakeAV3.png
___

- http://community.web...-protected.aspx
13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
* http://community.web...tribution1s.png
... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
** http://community.web...tribution2s.png
... having the latest version of WordPress does not make you immune to this threat...
> http://community.web...tribution3s.png
... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."

Edited by AplusWebMaster, 14 March 2012 - 09:02 AM.

[AplusWebMaster]

FYI...

Rogue AV tweaked every 12 to 24 hours to avoid detection
- http://www.gfi.com/b...-threat-tactic/
Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
- http://www.gfi.com/p...s-and-consumers
Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
Top 10 Threat Detections for February
- http://www.gfi.com/c...tions-21084.png