Tag Archives: fake scanner pages

Malicious URLs Hosting Fake Scanner Pages

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software.

First initial fake alert:

Image

Fake scanner page in action:

Image

Prompt to download the (infected) setup file of the rogue software:

Image

Report date: 2011-04-15 01:10:23 (GMT 1)
File name: bestav2-exe
File size: 374784 bytes
MD5 hash: a31da4fa72e277fe8abf298a4aa30d9d
SHA1 hash: 0f7bb119ff7889d3981d8ecdf2494c1cf4ba1a42
Detection rate: 7 on 10 (70%)
Status: INFECTED
Antivirus Database Engine Result
Avast 15/04/2011 5.0 Win32:Renos-ACT [Trj]
AVG 15/04/2011 10.0.0.1190 FakeAlert.AAW
Avira AntiVir 15/04/2011 8.2.4.202 TR/Winwebsec.A.4010
Comodo 15/04/2011 4.0 TrojWare.Win32.Trojan.Agent.Gen
Emsisoft 15/04/2011 5.1.0.2 Trojan.Fakealert!IK
F-Prot 15/04/2011 6.3.3.4884 W32/FakeAlert.LY.gen!Eldorado
Ikarus 15/04/2011 T31001097 Trojan.Fakealert

There is also a reference to an external JS file:

<script type="text/javascript" src="hxxp://figaroo. ru/tools/ip.js"></script>

List of malicious domains and IPs:

hxxp://www.downloadmyprog. biz
hxxp://91.213.217.247:80
hxxp://184.82.159.52:80
hxxp://91.213.217.244:80
hxxp://91.213.217.246:80
hxxp://www.ratingswatchdiscussions. com
hxxp://91.213.217.225:80
hxxp://184.82.159.51:80
hxxp://91.213.217.229:80
hxxp://184.82.159.52:80
hxxp://www.powerwerxmotorcorp. com
hxxp://91.213.217.241:80
hxxp://www.purityanddivinityspa. com

At the end of few fake scanner pages, there is also a surprise:

Image

An obfuscated malicious JS code (note also the random function names at the end of the script) that leads most probably to an exploit kit. We can extract also the JS code from the file “/index_files/set00000.js”, used to display the fake threats in the fake scanner page:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/downloadmyprog.biz
http://www.urlvoid.com/scan/ratingswatchdiscussions.com
http://www.urlvoid.com/scan/purityanddivinityspa.com
http://www.urlvoid.com/scan/powerwerxmotorcorp.com

Recent Websites Associated with Fake Scanner Pages

Domains associated with recent fake scanner pages, used to distribute setup files of rogue security software and used to deliver web exploits and hidden redirections to dangerous websites, always related to rogue software distribution.

nvrsewep.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
puwibryj.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
wofycof.co. cc78.26.179.6
xysihibr.co. cc78.26.179.6
zununuj.co. cc78.26.179.6
brilerzit.co. cc78.26.179.6
gvrlynerf.co. cc78.26.179.6
sekvrfig.co. cc78.26.179.6
www3.saveguardin4u. in65.23.153.126
saveguardin4u. in – –
www3.bestcleansentinel. in – –
bestcleansentinel. in – –
www1.hardsuitescanner. in173.192.68.246
hardsuitescanner. in – –
www2.strong-power-army. in83.133.124.177
strong-power-army. in – –
www3.safe-suiteholder. com – –
safe-suiteholder. com – –
www3.smartantivirforu. com – –
smartantivirforu. com – –
www3.top-pckeeper. com – –
top-pckeeper. com – –
www4.safe-zoneng. net – –
safe-zoneng. net – –
www1.chckeck. in – –
chckeck. in – –
www1.guardianaor. in – –
guardianaor. in – –
www1.opensoftscanav. com – –
opensoftscanav. com – –
www1.personal-scan-holder. in – –
personal-scan-holder. in – –
www1.profalsave. in – –
profalsave. in – –
www2.firstguardin4u. com – –
firstguardin4u. com – -