Month: September 2008

Rogue Mania brought to you by Innovagest 2000.

eAntivirusPro is a new clone of Antivirus XP 2008 rogue security product.

Sites used:
218.106.90.227 eantivirus-payment. com
218.106.90.227 e-antiviruspro. com

A typical FakeScare scanner page used by this group.

AntiMalware 2009 is yet another clone of Antivirus XP 2008 rogue security product.

A typical FakeScare scanner page used by this group.

ekerberos is another rogue security product from Innovagest 2000.

ekerberos is a renamed clone of short lived ikerberos rogue security product.
218.106.90.227 ekerberos. com

Bharath M N

Installing a fake codec from upgrade-your-software com gets you all kinds of ugly stuff, including the error screen above (which pushes Innovative Marketing’s PersonalAntiSpy rogue security product).

Patrick Jordan

This is something making the rounds right now.  A trojan downloader which infects a system with rogue security product Antivirus XP.

Alex Eckelberry

A lengthy, but very interesting write-up on trustmarks (BBB Online, Trust Guard, TRUSTe, etc.).

The most important test for privacy protection in the trustmarks environment is the underlying standards or requirements that are applied by each scheme. Perhaps expectations here should be realistic – what standard should a consumer expect in a market where a business can buy a legitimate looking privacy seal for $15.99 a year?

Indeed, the privacy standards are appallingly low for trustmarks. Attempts to impose higher standards (during the early stages of trustmark development) appeared to fail on commercial grounds. For example, TRUSTe originally had three privacy seals, indicating whether the collection and disclosure of personal information occurred using a colour scheme.

and

The most significant criticism of trustmarks is that in practice they have proved to be virtually worthless in the face of major privacy breaches. Their privacy standards are low to begin with, but even these rules are simply not enforced against large, paying members.

More here (PDF version here).

Or, you can just skip to the conclusion.

Alex Eckelberry
(Thanks, Ben)

This is particularly nasty spam pushing a fake codec trojan:

If you go to that link, you get to a very convincing site pushing a fake codec.  That CNNWorld was created yesterday, hosted in Iran.

Alex Eckelberry

A new batch of Security Scam Hijacker sites, Thanks to Patrick Jordan for the information.

Zlob Trojan Distributing site:
77.91.231.183 Wmpware. com
77.91.231.201 Newwmpupdate. com

Scam Internet Security Page:
91.203.92.12 Homesecuresite. com

404ErrorpageScam:
91.203.92.11 Dnserrorview. com

Security Guide Scam Page:
91.203.92.12 Screenlinkz. com

Ad-Server-Gate Pages:
91.203.92.12 Yrhfn. com
91.203.92.11 Ungds. com

Protection Center Scam Page:
91.203.92.11 Secureharley. com

Scam Security Toolbar site:
91.203.92.11 Ienewbar. com

IE AntiSpywareStore site:
92.62.101.84 Qwertypages. com

Please stay clear of these sites.

Bharath M N

Thanks to Patrick Jordan for the information.

PersonalAntiSpy Free is a new rogue security product brought to you by Innovative Marketing

PersonalAntiSpy Home Page
93.190.139.197 Personalantispy. com

Typical fake/Scare scan page

Once the rogue is installed it annoys with a series of fake alert notification.

Bharath M N

The endless supply of Zlob Trojan parades the internet once again with their new scam sites.

Zlob Trojan Distributing site:
77.91.231.201 Movsdlls. com
77.91.231.183 Mediamswares. com

Scam Internet Security Page:
91.203.92.11 Asafetysite. com

404ErrorpageScam:
91.203.92.12 Errordnsurl. com

Security Guide Scam Page:
91.203.92.11 Linksondesktop. com

Ad-Server-Gate Pages:
91.203.92.11 Gfbwd. com
91.203.92.11 Ogjtu.com

Security Center Scam Page:
91.203.92.12 Waysofsecurity. com

Scam Security Toolbar site:
91.203.92.12 Toolbarunit. com

IE AntiSpywareStore site:
92.62.101.83 Ieprogramming. com

As we always say please stay clear of these sites.

Bharath M N

Platrium, Zango’s new adware, has been “provisionally certified” by TRUSTe.

Alex Eckelberry
(Thanks, Ben)

If you’re trying to get a grasp as to what the heck happened over the past few days in the financial markets, probably the best explanation is on the Freakonomics blog.  Well worth reading.

As an economist, I am supposed to have something intelligent to say about the current financial crisis. To be honest, however, I haven’t got the foggiest idea what this all means. So I did what I always do when something related to banking arises: I knocked on the doors of my colleagues Doug Diamond and Anil Kashyap, and asked them for the answers. What they told me was so interesting and insightful that I begged them to write their explanations down for a broader audience. They were kind enough to take the time to do so. In what follows, they discuss what has happened in the financial sector in the last few days, why it happened, and what it means for everyday people.

Link here (via Jeff Nolan).

Alex Eckelberry

Thanks to Patrick Jordan for the information.

Zlob Trojan Distributing site:
77.91.231.201 Movsdevices. com
77.91.231.183 Wmptools. com

Scam Internet Security Page:
91.203.92.12 Homesiteurls. com

404ErrorpageScam:
91.203.92.11 Urlsofdnserrors. com

Security Guide Scam Page:
91.203.92.11 Fastshortcuts. com

Ad-Server-Gate Pages:
91.203.92.12 Xbstw. com
91.203.92.12 Eufnt. com

Security Center Scam Page:
91.203.92.11 Protectnotice. com

Scam Security Toolbar site:
91.203.92.11 Securealertbar. com

IE AntiSpywareStore site:
92.62.101.84 Ierenewals. com

Other sites used in this scam

Antivirus 2009 Fake/Scanner page:
84.16.252.138 Vassariumpromo. com

Please stay clear of these sites.

Bharath M N

All that craziness that the world was going to end turned out for naught. But it was fun while it lasted.

Incidentally, there’s a great webcam of the LHC here. Worth watching for a a minute or two — fascinating to watch the scientists at work.

Alex

So… what kind of domains are on Intercage? 

Gary Warner wanted to find out and has now posted the Mother of all Lists of (almost) all Intercage domains.

From Gary: “The domains listed … all came from the sites above, but it is not an entirely complete result.  My tool would only allow 2,000 domains per IP, and there were two IPs that exceeded that limit.  69.50.188.3 had 3,978 domains listed, and 69.50.160.211 had more than 10,000 domains listed.  Both of those result sets were truncated as a result.” (More explanation here).

At any rate, the list, sans those two IPs, is here (txt).

Nice work, Gary.  A very useful list indeed.

Alex Eckelberry

Wow.  Just… wow.   

EstDomains, Inc: Global Struggle Against Malware Distribution

EstDomains, Inc, a US-based domain name Registrar, officially declares opposition to malware mongers in order to protect Internet users from attacks on their computers or stealing of their important data. EstDomains, Inc pays special attention to domain name holders’ private data protection and secure money transaction operations. It can be said in all modesty that EstDomains, Inc has succeed in protecting its customers from any possible occurrence of fraudulence or cracking. However, being an eminent member of interactive community, EstDomains, Inc management along with other giants of online industry continues its struggle against malicious software distribution and is giving its best to work out even more efficient solutions for detecting malware sources.

More here (thanks Ferg).

Alex Eckelberry

Thanks to Patrick Jordan for the information.

AntiVirus Lab 2009 is a new rogue security product a near clone of Antispycheck.

AntiVirus Lab 2009 Home page
66.232.113.62 Viruslabs2009. com

Following site is used for direct installation.
91.203.93.37 Iwantfriday. com

Detection by existing antivirus engines on this one is really poor.

Bharath M N

Heads up to Patrick Jordan for the information. Now the rest of the story.

Zlob Trojan Distributing site:
77.91.231.183 Classicmediapl. com

Scam Internet Security Page:
91.203.92.11 Sweathomepage. com

404ErrorpageScam:
91.203.92.12 Amistypedurl. com

Security Guide Scam Page:
91.203.92.12 Linkfordesktop. com

Ad-Server-Gate Pages:
91.203.92.11 Yuiqd. com
91.203.92.11 Hfnvp. com

Protection Center Scam Page:
91.203.92.12 Observesecure. com

Scam Security Toolbar site:
91.203.92.12 Aglobaltoolbar. com

IE AntiSpywareStore site:
216.255.179.244 Enhancedie. com

Other sites used in this scam

Antivirus 2009 Fake/Scanner page:
78.159.118.168 Prtectionactivescan. com

Please stay clear of these sites.

Bharath M N

Zlob Trojan Distributing site:
77.91.231.201 Immediallc. com
77.91.231.183 Softlayerdll. com

Scam Internet Security Page:
85.255.116.210 Dailyhomesite. com

404ErrorpageScam:
85.255.116.214 Nowherepage. com

Security Guide Scam Page:
85.255.118.34 Firstaidclicks. com

Ad-Server-Gate Pages:
85.255.118.37 Oryfn. com
85.255.118.38 Eufks. com

Protection Center Scam Page:
85.255.118.34 Aprotectionhelp. com

Scam Security Toolbar site:
85.255.118.211 Safensecurebar. com

IE AntiSpywareStore site:
216.255.179.245 Ieextend. com

Please stay clear of these sites.

Bharath M N

List of new cloned rogue security products.

Windows Antivirus
92.241.163.30 Windows-av. com

Windows Antivirus is a clone of Windows AntiVirus 2008

Micro Antivirus 2009
91.208.0.223 Microantivirus2009. com

Micro Antivirus 2009 is a clone of MS Antivirus

Antivirus Security
78.159.114.116 Antivirussecurity-solution. com

Antivirus Security is a clone of XP antivirus and the home page looks similar to that of Internet Antivirus

Bharath M N

Zlob Trojan Distributing site:

IP: 77.91.231.201
Intervidd. com

IP: 77.91.231.183
Pwrware. com

The Zlob trojan downloads and installs a new Variant of MS Antivirus rogue security application

IP: 92.62.101.55
Ms-avc. com

Scam Internet Security Page:

IP: 85.255.116.212
Homepagetoday. com

404Errorpage Scam:

IP: 85.255.118.243
Brokenurls. com

Security Guide Scam Page:

IP: 85.255.118.210
Desklinks.com

Ad-Server-Gate Pages:

IP: 85.255.118.212
Rycsp. com

IP: 85.255.118.213
Cusln. com

Scam Security center site:

IP: 85.255.118.36
Pcsdefender. com

Scam Security Toolbar site:

IP: 85.255.118.35
Webprobar. com

Another component Site used in the Internet Explorer tools menu to redirect to other scam page

IP: 216.255.179.245
Ieextend. com

Please stay clear of these sites.

Bharath M N

A clone of the Antispyware 2008 XP/WinSpywareProtect family.

85.255.119.14    scan.antispyware-free-scanner com
Not Active         as-pro-xp-download com
78.157.142.79    files.as-pro-xp-download com
92.241.163.32    spypreventers com
77.244.220.134  online-security-systems com
77.244.220.134  xpprotector com
77.244.220.134  av-xp2008 net