Select Page

Patrick Jordan found this malicious little nugget today: Internet Security 2010. It’s a rebranded clone of Advanced Virus Remover, a rogue security product that we first found in June (Sunbelt Rogue Blog entry here.)

InternetSecurity2010_FakeResults

It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification.

Copy of InternetSecurity2010_McAfeeSecure_Tested

A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this:

Real McAfeeSecure tested

When you click on it, it should take you to the McAfee Secure rating verification page: https://www.mcafeesecure.com/RatingVerify that gives the name of the certified web site and the “Status.”

McAfee return

More info about the program here.

VIPRE catches the installer that is also the rogue’s exe module:

InternetSecurity2010_APBlockingInstaller

While the rogue is active it also blocks all other applications.

FileBlockingTactics

The list of download sites for Internet Security 2010 is the same VX Cactus group that ran the vxgame malware operations from Jan 2005 until Nov 2008:

193.104.110.50 buy-internet-security2010.com
193.104.110.50 downloadavr13.com
193.104.110.50 testavrdown.com
193.104.110.50 vscodec-pro.net
193.104.110.50 vsproject.net
193.104.110.50 white-xxx-tube.com
193.104.110.50 white-xxx-tube.net
193.104.110.50 xxx-white-tube.biz
193.104.110.50 xxx-white-tube.net
193.104.110.50 pc-scanner-2010.org
193.104.110.50 avrdownnew8.com
193.104.110.50 pc-scanner-2011.org
193.104.110.50 pc-scanner-2011.biz

Thanks Patrick.

Tom Kelchner