Tag Archives: rogue security software

Spam link on Twitter leads to Fake Antivirus Rogue Software

One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Fake Warning Message

Screenshot of the fake scanning web page:

Fake Scanning Page

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

Downloaded File

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

Dropped .EXE files

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

windows-prosecurity-scanner-fake-antivirus

More screenshots of the rogue software:

GUI

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Fraud Page

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info

Malicious URLs Hosting Fake Scanner Pages

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software.

First initial fake alert:

Image

Fake scanner page in action:

Image

Prompt to download the (infected) setup file of the rogue software:

Image

Report date: 2011-04-15 01:10:23 (GMT 1)
File name: bestav2-exe
File size: 374784 bytes
MD5 hash: a31da4fa72e277fe8abf298a4aa30d9d
SHA1 hash: 0f7bb119ff7889d3981d8ecdf2494c1cf4ba1a42
Detection rate: 7 on 10 (70%)
Status: INFECTED
Antivirus Database Engine Result
Avast 15/04/2011 5.0 Win32:Renos-ACT [Trj]
AVG 15/04/2011 10.0.0.1190 FakeAlert.AAW
Avira AntiVir 15/04/2011 8.2.4.202 TR/Winwebsec.A.4010
Comodo 15/04/2011 4.0 TrojWare.Win32.Trojan.Agent.Gen
Emsisoft 15/04/2011 5.1.0.2 Trojan.Fakealert!IK
F-Prot 15/04/2011 6.3.3.4884 W32/FakeAlert.LY.gen!Eldorado
Ikarus 15/04/2011 T31001097 Trojan.Fakealert

There is also a reference to an external JS file:

<script type="text/javascript" src="hxxp://figaroo. ru/tools/ip.js"></script>

List of malicious domains and IPs:

hxxp://www.downloadmyprog. biz
hxxp://91.213.217.247:80
hxxp://184.82.159.52:80
hxxp://91.213.217.244:80
hxxp://91.213.217.246:80
hxxp://www.ratingswatchdiscussions. com
hxxp://91.213.217.225:80
hxxp://184.82.159.51:80
hxxp://91.213.217.229:80
hxxp://184.82.159.52:80
hxxp://www.powerwerxmotorcorp. com
hxxp://91.213.217.241:80
hxxp://www.purityanddivinityspa. com

At the end of few fake scanner pages, there is also a surprise:

Image

An obfuscated malicious JS code (note also the random function names at the end of the script) that leads most probably to an exploit kit. We can extract also the JS code from the file “/index_files/set00000.js”, used to display the fake threats in the fake scanner page:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/downloadmyprog.biz
http://www.urlvoid.com/scan/ratingswatchdiscussions.com
http://www.urlvoid.com/scan/purityanddivinityspa.com
http://www.urlvoid.com/scan/powerwerxmotorcorp.com

Recent Websites Associated with Fake Scanner Pages

Domains associated with recent fake scanner pages, used to distribute setup files of rogue security software and used to deliver web exploits and hidden redirections to dangerous websites, always related to rogue software distribution.

nvrsewep.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
puwibryj.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
wofycof.co. cc78.26.179.6
xysihibr.co. cc78.26.179.6
zununuj.co. cc78.26.179.6
brilerzit.co. cc78.26.179.6
gvrlynerf.co. cc78.26.179.6
sekvrfig.co. cc78.26.179.6
www3.saveguardin4u. in65.23.153.126
saveguardin4u. in – –
www3.bestcleansentinel. in – –
bestcleansentinel. in – –
www1.hardsuitescanner. in173.192.68.246
hardsuitescanner. in – –
www2.strong-power-army. in83.133.124.177
strong-power-army. in – –
www3.safe-suiteholder. com – –
safe-suiteholder. com – –
www3.smartantivirforu. com – –
smartantivirforu. com – –
www3.top-pckeeper. com – –
top-pckeeper. com – –
www4.safe-zoneng. net – –
safe-zoneng. net – –
www1.chckeck. in – –
chckeck. in – –
www1.guardianaor. in – –
guardianaor. in – –
www1.opensoftscanav. com – –
opensoftscanav. com – –
www1.personal-scan-holder. in – –
personal-scan-holder. in – –
www1.profalsave. in – –
profalsave. in – –
www2.firstguardin4u. com – –
firstguardin4u. com – –

New Domains Used for BlackHat SEO Campaigns

We noticed again a massive number of infected websites used to collect popular keywords and to spread malicious links that are used to redirect users to websites that promote rogue security software.

Fake Internet Explorer Alerts

Fake scanner page:

Fake Scanner Page

Network traffic:

GET /photos/view.php?user=1 HTTP/1.1
Host: jerryfuentes. com
 
HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 11:05:09 GMT
Location: hxxp://www3.bestsecurityarmy. in/?82ccbe16=XXX
 
GET /?82ccbe16=XXX HTTP/1.1
Host: www3.bestsecurityarmy. in
 
HTTP/1.1 302 Moved Temporarily
Date: Sun, 09 Jan 2011 11:05:09 GMT
Location: hxxp://www1.pc-cleanersoftwa. in?010bx=XXX
 
GET /?r8lf=XXX HTTP/1.1
Host: www1.pc-cleanersoftwa. in
 
GET /?8ae1381bc1=XXX HTTP/1.1
Host: www4.safe-zoneks. net
 
GET /cl/7/icon_sprite.jpg HTTP/1.1
Host: www1.zone-protectionri. com

As we can see from the following image:

Random HTML Class Names

The class names and other HTML parts have been randomized most probably to try to bypass heuristic detections of real security software.

The title of the fake scanner page is always:

<title>Security Analysis</title>

Other encoded scripts:

Encoded Scripts

At the end, the user is prompted to download an executable:

Executable Download

It is the executable of another rogue security software!

Network traffic:

GET /oey106_290.php?b731diej=XXX HTTP/1.1
Host: www1.getioucured. in

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 11:11:51 GMT
Content-Type: application/octetstream
Pragma: hack
Content-Length: 314368
Content-Disposition: attachment; filename=sysupdate8_290.exe
Content-Transfer-Encoding: binary

MZG.........

Malicious Websites Promote Antivirus Scan

Antivirus Scan is the name of a recent rogue security software that is commonly installed in victim’s computer by TDSS variants and also by drive-by downloads.

Antivirus Scan GUI

We have logged new domains associated with Antivirus Scan:

GET /check?pgid=8 HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: antispyis. net
Connection: Keep-Alive
 
GET /percer.php?login=ODYuMjI= HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: antispyis. net
Connection: Keep-Alive
 
GET hxxp://antispyis. com/shop?abc=cGdpZD04JnI9ODYuMjI= HTTP/1.0
Accept: */*
Accept-Language: it
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: antispyis. com
Connection: close

Anispyis.com Website

Malicious websites:

antispyis.com
antispyis.net
softwareea.com
guardpe.com
avtain.com
colemes.net
antivirhand.com
galilov.narod.ru
avcommand.net
antivguardian.com
antivirsystem.com
antispytask.net
antispycraft.com
afantispy.com
marezer.com
ns1.antispyis.net
ns2.antispyis.net
ns1.afantispy.com
ns1.marezer.com
ns1.safeom.com
ns1.softwarear.com
ns2.afantispy.com
ns2.aproximosstyle0112.info
ns2.marezer.com
ns2.safeom.com
ns2.softwarear.com
safeom.com
softwarear.com
www.afantispy.com
www.marezer.com
www.safeom.com
www.softwarear.com
marezer.net
ns1.afantispy.net
ns1.colemes.net
ns1.marezer.net
ns1.safeom.net
ns1.softwarear.net
ns2.afantispy.net
ns2.colemes.net
ns2.marezer.net
ns2.safeom.net
ns2.softwarear.net
safeom.net
softwarear.net
www.afantispy.net
www.colemes.net
www.marezer.net
www.safeom.net
www.softwarear.net

Active domains points to:

93.158.114.164 - [Unknown]
77.79.12.246 - hst-246.duomenucentras.lt

WhoIs data for antispyis.net:

Domain Name:	ANTISPYIS. NET
Registrar:	BIZCN.COM, INC.
Whois Server:	whois.bizcn.com
Referral URL:	hxxp://www.bizcn.com
Name Server:	NS1.ANTISPYIS. NET
Name Server:	NS2.ANTISPYIS. NET
Status:	clientDeleteProhibited
Status:	clientTransferProhibited
Updated Date:	07-jan-2011
Creation Date:	07-jan-2011
Expiration Date:	07-jan-2012

The rogue security software Antivirus Scan hijacks also settings of Internet Explorer and everytime we try to visit a new website, we will see the following page, that is used to redirect the users to the purchase page of the rogue software:

IE Hijack

Registry modifications:

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"lqerhdaf"="%TempDir%\uvdqoetal\\pdbspaslajb.exe"

Files created:

%TempDir%\uvdqoetal\\pdbspaslajb.exe
%UserProfile%\file.exe

File.exe

.text
.rdata
.data
.venue
svc:%s;
app:%s(%s);
tcp
udp
any
port:%s(%lu/%s);
AV:
FW:
antispyis. com
antispyis. com
antispyis. com
antispyis. net
www.viagra. com
www.porno. org
www.porno. com
www.adult. com

File details:

File: file.exe
Size: 324096 bytes
Publisher: Unknown
Checksum (MD5): 03240adb7fb0123736f4897250118afb