59 replies to this topic

[AplusWebMaster]

FYI...

Scareware warning from the FBI
- http://www.us-cert.g...about_scareware
December 14, 2009 - " The Federal Bureau of Investigation (FBI) has released a warning to alert users about an ongoing threat involving pop-up security messages that appear on the Internet. These pop-up messages may contain seemingly legitimate antivirus software. Users who click on these pop-up messages to purchase and install the bogus software may become infected with malicious code or to become victims of a phishing attack. US-CERT encourages users and administrators to do the following to help mitigate the risks:
• Review the FBI Press Release* titled Pop-Up Security Warnings Pose Threats.
• Install antivirus software, and keep the signature files up to date.
• Use caution when entering personal and financial information online.
• Install software applications from only trusted sources."
* http://www.fbi.gov/p...popup121109.htm

> http://www.ic3.gov/m...009/091211.aspx
"... The FBI is aware of an estimated loss to victims in excess of $150 million..."

- http://sunbeltblog.b...generation.html
December 11, 2009 - "A new rogue security product called IGuardPC... is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers. The WiniGuard family began in September of 2008. Operators behind it have added variants.. sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections..."
(Screenshots available at the URL above.)

Edited by AplusWebMaster, 30 July 2010 - 11:00 AM.

[AplusWebMaster]

FYI...

Scareware gang busted...
- http://www.darkreadi...cleID=225200545
May 28, 2010 CHICAGO - "An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad... fake advertisements placed on various legitimate companies' websites, deceived Internet users into falsely believing that their computers were infected with "malware" or had other critical errors to induce them to purchase "scareware" software products that had limited or no ability to remedy the purported, but nonexistent, defects... Two defendants, Bjorn Daniel Sundin, and Shaileshkumar P. Jain, with others owned and operated Innovative Marketing, Inc. (IM), a company registered in Belize that purported to sell anti-virus and computer performance/repair software through the internet and that operated a subsidiary called Innovative Marketing Ukraine, located in Kiev. The company appeared to close down last year after the U.S. Federal Trade Commission filed a federal lawsuit in Maryland seeking to end the allegedly fraudulent practices... Individuals who believe they are victims and want to receive information about the criminal prosecution may call a toll-free hotline, 866-364-2621, ext. 1, for periodic updates... Each count of wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine and restitution is mandatory. The Court may also impose a fine totaling twice the loss to any victim or twice the gain to the defendant, whichever is greater..."

- http://chicago.fbi.g...10/cg052710.htm
May 27, 2010

.

Edited by AplusWebMaster, 29 May 2010 - 09:20 AM.

[AplusWebMaster]

FYI...

Fake Firefox update leads to scareware...
- http://www.theregist...scareware_ruse/
30 July 2010 - "... Prospective marks are normally lured to these sites through search engine manipulation, which ensures rogue sites appear prominently in lists of search results for newsworthy terms... write-up of the scareware slinging ruse in a blog post here*..."

* http://www.f-secure....s/00001997.html
"... rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV. Now, it comes as the Firefox "Just Updated" page... the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads... When the user runs the file... Bad old rogue AV..."

(Screenshots available at the F-secure URL above.)

[AplusWebMaster]

FYI...

Rogue AV - social engineering...
- http://www.symantec....ial-engineering
Sep 17, 2010 - "The success and penetration of fraudulent security software depends on its ability to scare the user into buying a fake security product. Over the years we have seen that many social engineering techniques have evolved in attempts to achieve this... This technique is employed by a recently found, in-the-wild sample of fake security software that misleads users by claiming to be a legitimate “Microsoft Security Essential.” The real social engineering is not found in the name, but in how it works (step by step) to trick users into buying this unknown security product... rather than showing many fake detection results, as is usually the case with rogue antivirus software, it reports just one threat. It will always report the same file (c:\windows\system32\cmd.exe) as “Unknown Win32/Trojan” and will request that the user clicks on “Apply actions.” However, both of the “Apply actions” and “Clean computer” buttons will redirect users to scan the identified threat with online scanners. Then, it shows a fake online scanner window that includes almost all reputable antivirus products, including Symantec, along with five unknown products... we may see the same or some variation of this rogue software being adopted across a few of the other rogueware families..."

- http://blog.webroot....-rogues-in-one/
September 16, 2010

(Screenshots and more detail at both URLs above.)

Edited by AplusWebMaster, 20 September 2010 - 09:57 AM.

[AplusWebMaster]

FYI...

BlackHat SEO campaign used to spread rogue...
- http://blog.urlvoid....d-smart-engine/
October 9, 2010 - "A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer. When an user clicks on an infected url, there is a redirection... "

[AplusWebMaster]

FYI...

More rogue security scams...
- http://www.theinquir...defraggers-scam
Dec 15 2010 - "... usually rogue security software does it best to pretend to be anti-spyware or anti-virus products. In the last two months, however, it has become clear that the rogue malware writers are turning to fake optimisation software instead. Earlier in December we had PCoptomizer, PCprotection Center and Privacy Corrector which were intended to look like some kind of generic security product. Lately it has been "defragger" clones that claim to be disk utilities: UltraDefragger, ScanDisk and WinHDD. These pretended to find "HDD read/write errors". Disk defragmentation once was considered a good way of speeding up a computer, but it has become less of a problem as PCs got faster, hard drives much larger and newer versions of Windows had better file handling capabilities. But some users have become aware of the defrag utility and think they need it often which is why the rogues impersonate defrag utilities. The cyber criminals who are sending out the software are changing the name of the software every few days to evade antivirus scanners. The report said that Internet users should be suspicious of any application that is advertised by spam, pops up dire warnings that your machine is affected by numerous problems, tells you that you need to update your browser, or demands that you make a purchase before it will clean or fix problems in your machine."

Fake disk defraggers
- http://news.cnet.com...025692-245.html
December 14, 2010 - "... FakeAV-Defrag rogues... had names like HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus*..."
* http://forums.whatth...=...st&p=699211

Edited by AplusWebMaster, 15 December 2010 - 10:10 PM.

[AplusWebMaster]

FYI...

New Rogue Software: Easy Scan
- http://blog.urlvoid.com/?p=648
January 1, 2011 - "Easy Scan is another rogue security software that is installed by TDSS variants* and that aims to scan the hard drive to find errors, instead it shows false errors..."
* http://blog.urlvoid....ty-of-software/
"... installed plenty of software and backdoors in the infected system. Other than installing rogue security software, this time named Antivirus Scan, it has installed also other software like FLVTube Player, Sweetim Pack, Vista Cookies Collector, OfferBox, DataMngr, SweetIE, SweetIM, Fun4IM..."

New Rogue Software: HDD Doctor
- http://blog.urlvoid.com/?p=630
December 26, 2010 - "HDD Doctor is another rogue security software that aims to scan the hard drive to find errors, instead it shows false errors..."

[AplusWebMaster]

FYI...

Rogue variant number stable, new “utility” look appears
- http://sunbeltblog.b...f-variants.html
January 05, 2011 - "GFI Labs documented 167 rogue security products in 2010 – exactly the same number as 2009... the number of rogue security products appearing annually has been stable for the last three years. After increasing from 26 in 2005 to 162 in 2008, we’ve seen about the same number of variants each year since: 167 in both 2009 and 2010... Late in 2010 Researchers at GFI Labs noticed that at least one group of rogue writers had started a new deceptive tactic: creating graphic interfaces that impersonated utility software - such as hard drive defragmentation applications - instead of anti-virus products...
FakeAV-Defrag family history:
11/15/2010 Ultra Defragger
11/16/2010 ScanDisk-Defragger
11/30/2010 WinHDD
12/9/2010 HDDPlus
12/12/2010 HDDRescue
12/12/2010 HDDRepair
12/13/2010 HDDDiagnostic ...
Rogue distributors usually create their malicious software and server infrastructure then clone their malcode often in order to escape detection by legitimate anti-virus products. They count on making money in the days (or hours) that the new rogue clones go undetected..."
(Charts available at the Sunbelt blog URL above.)

[AplusWebMaster]

FYI...

Rogue AVG AV on the Web...
- http://www.f-secure....s/00002090.html
January 31, 2011 - "... A rogue* was recently discovered to be using AVG's logo and reputable name, hoping to mislead and trick people into purchasing the fake AV... Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011... However, users who aren't familiar with the product might not notice this difference and think that they are getting the real thing. One bit of advice — watch out for the source. Most antivirus companies provide free/trial versions of their products directly on their websites... skip the untrustworthy channel and get it directly from the AV vendors." **
(Screenshots of the rogue available at the URL above, and the blogs.technet URL below.)

* http://www.f-secure....tispyware.shtml

** [In this case, AVG Free legit site is: http://free.avg.com/ ]

> http://blogs.technet...5f00_brows.aspx
31 Jan 2011 6:05 PM

Edited by AplusWebMaster, 01 February 2011 - 08:28 PM.

[AplusWebMaster]

FYI...

Fake Avira rogue...
- http://techblog.avir...certificate/en/
February 21, 2011 - "... Viewing the properties of the digital signature, Microsoft Windows shows a note “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”. Don’t misunderstand that message – it means that this certificate is not created by Avira GmbH and therefore it’s not a stolen certificate. Stuxnet gained a lot of attention by the media because it contained a valid digital signature from “Realtek Semiconductor” which was obviously stolen by the malware authors... The malware itself is nothing new. It’s a member of the well known Zbot/ZeuS malware family which is spammed via Email. The Trojan doesn’t show new behavior of the Zbot/ZeuS authors. Upon execution it is creating a copy of itself and is deleting the original executed file; also it adds a runkey to the Windows registry in order to get started after a reboot. After this the Trojan tries to connect to the C&C Server “**ciq.net” to receive more information about targets to spy upon..."

[AplusWebMaster]

FYI...

Rogue AV different on each browser...
- http://research.zsca...-internals.html
March 2, 2011 - "... new type of Fake AV page that looks different on each browser . And it also uses internal elements of those browsers... The malicious executable InstallInternetDefender_722.exe is detected* by only 9.5% of AV!... The version displayed in Firefox... looks like the security warning Firefox shows for malicious and phishing sites... the Chrome version looks like a legitimate browser warning... For Safari, only the first popup box is tailored to the browser. The main page is the same as Internet Explorer..."
(Screenshots and more detail available at the URL above.)
* http://www.virustota...e1ce-1299087679
File name: InstallInternetDefender_722.exe
Submission date: 2011-03-02 17:41:19 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report...
- http://www.virustota...e1ce-1299190654
File name: install_internetdefender.exe
Submission date: 2011-03-03 22:17:34 (UTC)
Result: 12/43 (27.9%)

Edited by AplusWebMaster, 04 March 2011 - 09:37 AM.

[AplusWebMaster]

FYI...

ChronoPay scareware...
- http://krebsonsecuri...reware-diaries/
March 3, 2011 - "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments... ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning... ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft .com... As security firm F-Secure noted* at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines..."
* http://www.f-secure....s/00001931.html

- http://www.f-secure....s/00002112.html
March 4, 2011

Edited by AplusWebMaster, 04 March 2011 - 04:54 PM.

[AplusWebMaster]

FYI...

Rogue AV links from tsunami in Japan...
- http://isc.sans.edu/...l?storyid=10543
Last Updated: 2011-03-14 08:21:18 UTC - "... people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware. We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about what’s happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world – whatever happens, their scripts will make sure that they “contain” the latest data/information about it... With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines – even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is... the current count... 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so it’s clear that the bad guys are very active... the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as we’ve all witnessed, successfully poison search engines."

[AplusWebMaster]

FYI...

Rogue AV - Easter cards...
- http://sunbeltblog.b...e-rogue-av.html
April 19, 2011 - "Looks like we have more shenanigans involving rogue AV products and Easter... Elsewhere there are malicious emails* doing the rounds - the Easter scams are in full swing..."
* http://www.net-secur...ews.php?id=1698

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Google doodle leads to scareware...
- http://www.h-online....es-1242208.html
12 May 2011 - "... it is rare for a click on a prominently positioned Google doodle to take you to links for fake virus scans... If a user clicks on the doodle to find out what it means, Google launches a search for the term the doodle refers to... On Wednesday, Google celebrated the 117th birthday of dance icon Martha Graham. Clicking on the doodle displayed a list of preview images of the modern art dancer, some of which were links to a scareware site... At present, a search for Martha Graham on Google still displays those images. Once on the scareware site the user is then offered the SecurityScanner.exe file for download in order to solve the alleged virus problem; the file contains malware. Only 4 of the 42 scanners used by Virustotal flagged the file as being a threat at 11am on Wednesday. A test conducted by The H's associates at heise Security revealed that the scareware managed to infect a Windows 7 system with Microsoft Security Essentials 2 (MSE2) enabled. The malware disabled MSE2 and added itself to the security centre as "Win 7 Home Security 2011" – and labelled itself as disabled. Users are then asked to pay €60 to activate it.
The infected system could no longer be used in any meaningful way. Warnings constantly popped up whenever any web page was visited regardless of which browser was used. The program does not appear on the list of installed software and therefore cannot be uninstalled easily. In similar cases, scareware could, with a lot of effort, be manually removed, but this software changed so many settings in the system that reinstalling Windows was the safest solution."
___

- http://blog.stopbadw...wedding-present
2011.04.29 - "... we have no reason to believe the site’s legitimate owners intended for this URL to exist. Rather, an attacker appears to have exploited a weakness in the site’s security model and inserted a -redirect- for the URL... the payload from this attack can be extremely annoying and costly — it makes the PC all but unusable — this sort of attack is certainly not of the most sophisticated or technically dangerous variety. A user who does -not- download or run the Fake AV executable does not appear to suffer compromise..."
> http://www.virustota...884b-1304097780
File name: SecurityScanner.exe
Submission date: 2011-04-29 17:23:00 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report ...
- http://www.virustota...884b-1305388325
File name: 7978e13ab11b027fb22b6cb4ec16dd3f
Submission date: 2011-05-14 15:52:05 (UTC)
Result: 32/43 (74.4%)

Edited by AplusWebMaster, 22 May 2011 - 01:16 PM.