Spam link on Twitter leads to Fake Antivirus Rogue Software
One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:
hxxp:// www. delicious-audio .com /wp-content |
If clicked, it redirects users to a new malicious link:
HTTP/1.1 302 Found Date: Tue, 08 May 2012 20:50:06 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Location: hxxp:// blog.keeples .com /wp-content Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 27 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 |
Extracted malicious link:
hxxp:// blog.keeples .com /wp-content |
Now there is a new redirect to another malicious link:
HTTP/1.1 302 Found Date: Tue, 08 May 2012 20:50:13 GMT Server: Apache/2.2.3 (CentOS) Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/ Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 |
Extracted malicious link:
hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/ |
This is the link of the web page of the fake antivirus rogue software.
Whois details:
Domain Name: spywarecleanermicrosoft.info Registrar: eNom, Inc. (R126-LRMS) Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD Expiration Date: 2013-05-08 11:32:40 Creation Date: 2012-05-08 11:32:40 Last Update Date: 2012-05-08 11:33:15 Name Servers: ns1.dnsexit.com ns2.dnsexit.com ns3.dnsexit.com ns4.dnsexit.com Registrant Contact Information: Name: Gerolamo Genovese Address 1: Via Bernardino Rota 1 City: Mellana State: CN Zip: 12012 Country: IT Phone: +39.3535605212 Email: kinsman@doramail.com |
Hosting details:
The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.
Screenshot of the fake warning message:
Screenshot of the fake scanning web page:
From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:
The file is downloaded from a new malicious website:
GET /0520091375cbc551/setup.exe HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/ Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scannerdatamicrosoft .info |
Whois Details:
Domain Name: scannerdatamicrosoft .info Registrar: eNom, Inc. (R126-LRMS) Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD Expiration Date: 2013-05-08 11:11:28 Creation Date: 2012-05-08 11:11:28 Last Update Date: 2012-05-08 11:12:08 Name Servers: ns1.dnsexit.com ns2.dnsexit.com ns3.dnsexit.com ns4.dnsexit.com Registrant Contact Information: Name: Dionisia Barese Address 1: Corso Porta Borsari 78 City: San Martino Di Castrozza State: TN Zip: 38058 Country: IT Phone: +39.3171462400 Email: milner@snail-mail.net |
Domains Details:
The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.
File details:
File: setup.exe Size: 2278400 bytes MD5: EC91E0F31587F6471A4EBCFE2681A45B SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2 SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780 |
When executed the file setup.exe, the rogue software drops two .EXE files:
File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE |
And this is the screenshot of the splash screen of the rogue software:
More screenshots of the rogue software:
When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:
Connections logged:
GET / HTTP/1.0 Accept: application/x-shockwave-flash, */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www. cmyip .com Connection: Keep-Alive GET /service/ HTTP/1.0 User-Agent: Mozilla/4.0 Host: 0520091375cbc551 .on-linepaysafery .info POST / HTTP/1.0 Accept: application/x-shockwave-flash, */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 0520091375cbc551. on-linepaysafery .info Content-Length: 109 Connection: Keep-Alive Pragma: no-cache Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash GET /payment_forms/default/images/sprite.png HTTP/1.0 Accept: */* Referer: hxxp://0520091375cbc551 .on-linepaysafery .info / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 0520091375cbc551 .on-linepaysafery .info Connection: Keep-Alive Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a |
Malicious links extracted:
hxxp:// 0520091375cbc551. on-linepaysafery .info /service/ |
Whois Details:
Domain Name: on-linepaysafery .info Registrar: eNom, Inc. (R126-LRMS) Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD Expiration Date: 2013-05-08 08:24:44 Creation Date: 2012-05-08 08:24:44 Last Update Date: 2012-05-08 08:26:02 Name Servers: ns1.dnsexit.com ns2.dnsexit.com ns3.dnsexit.com ns4.dnsexit.com Registrant Contact Information: Name: Dionisia Barese Address 1: Corso Porta Borsari 78 City: San Martino Di Castrozza State: TN Zip: 38058 Country: IT Phone: +39.3171462400 Email: sini@wildmail.com |
Domain details:
The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.
URLVoid scan reports:
http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info
