The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
The siteowner of downloadmalware.com read the blog, made a comment and promises to no longer offer the malware download.
The site appears to be suspended right now anyway.
Anyway, to the owner, thank you for listening to the security community and removing this download.
Incidentally, this is not the first time a similar crank has been tried. Didier Stevens did it, but it was strictly as a research experiment, and no malware was ever delivered.
Alex Eckelberry
Guess what? A new site, Downloadmalware com, offers free malware.
No. Really. What you get is a Vondu/Virtumonde trojan.
There’s full-disclosure on the site:
Commence Tomfoolery
Everyone knows that it’s no fun getting a virus, and viruses can be obtained by doing basically anything on the internet. That’s why we created Malware, in order to finally put a stop to constant viral infections on your
personal computer. We have many competitors, and they may be more popular than us, but at some point in this company’s career, we will surpass them. It’s all about persistence and determination, and I would know because I just wrote an essay about that.
Our Approach: As stated on the main page, our methods of preventing viruses are very similar to how the common flu is prevented. We inject your computer with a small ‘virus‘ so that your computer can build up an immunity to all viruses in general. In the past, technology was incapable of developing a program like this, but thanks to new dreamweaver technology by adobe, millions of users around the world are now protected from the most deadly computer viruses.
To, Delve into the Situation Further: Our malware program includes a packaged installer. This packaged installer contains two separate files. One of these files is full of little bits of viruses, and the other package contains the white blood cells of nanotechnology. After the virus is installed, the Wano Cells (White-Nano-Cells) are released into the computer’s data stream. The Wano’s are programmed to seek, analyze, and destroy any form of virus that your computer might have. This super advanced sense of analysis is almost like human instinct, and is the future of virus prevention and removal!
At the bottom of the page, he says:
Warning, this is actually a program that causes popups on your computer… I’m pretty sure it’s harmless but I don’t think you should try and find out. If you download this program you’re dumb! This post is a joke.
Well, it’s not a little piece of malware. Vondu/Virtumonde is anything but.
The author admits to feeling some guilt about putting up a website that openly delivers malware, but feels justified in that he feels anyone stupid enough to actually download the malware kinda deserves it.
This is my attempt at a sort of viral website. It could be seen as a “youfail” sort of site that forum users point to when someone asks a dumb question. I’m not really sure but I’m hoping it works.
I made it blatantly obvious that the file up for download is malware, so anybody who does download and install the program I have uploaded is retarded (nothing against retarded people). The catch is, it’s the affiliate adware from luxecash so I get money every time someone actually does download and install it.
I don’t know whether or not I should deck the site out with ads, or if I should keep it ad free to legitimize the product. I guess I’ll just have to wait and see if there are any people out their who would bite. I’m under the impression that people without a lot of computer knowledge would actually believe it.
It sort of makes me feel like a dick, but since I clearly state that it’s malware… it’s better than uploading it to a torrent site saying it’s msn messenger or something right?
And his own blog post, he has this to say:
…I decided that instead of taking the conventional approach to making money, I would make up my own way. I realized that spending hours uploading files to torrent websites would be just like me actually going to work for a few hours in order to make money. Now, not that I’m against doing a little bit of work for the money, but the only way to make good money requires that you do some illegal things, and work.
So I came up with downloadmalware.com, where people can voluntary download my adware. People like my mother (who will eventually read this post) are really the only people I can expect to download the adware from that site. One would have to be some un-saavy with computers it would be rather disturbing. Not only would you be displaying your lack of computer-vocab, but an extremely huge amount of gullability. For that purpose, I don’t feel so bad knowing that I’m giving someone popups, and I’m also glad what I’m doing isn’t illegal.
I’ll update this with some info on how the site works out for me… but I’ll have to give it some time to saturate in there with the big Goog.
Someone asked in a comment what the malware was, the malware is simply the luxecash affiliate program installer. I’ve never tried installing it on my own computer, but I’m pretty sure it’s just adware… so you get popups every once in a while.
Ok, I have a sense of humor. I get it.
But this is not funny at all.
I hope this enterprising fellow takes this crap down as soon as possible.
Alex Eckelberry
PC Defender 2008 is a new rogue clone from Winifixer family.
Heads up to Jason for the information.
89.149.241.228 Pcdefender2008. com
Antivirus XP 2008, Antimalware2009, XP Protector 2009 are some of the previous rogue security applications from this family.
Bharath M N
There’s a new site out for a rogue security product, NanoAntivirus. This looks like it will be a potential replacement (or additional rogue version) of the pernicious Antispyware Pro XP.
Binaries are not active (yet). However, a fake scanner page is already up: scan. antispyware-free-scanner. com/100525/8/ (if you don’t add the 100525/8/, you get the Antivirus XP Pro scan, complete with fake “porn” that’s been “found” on your computer).
Alex Eckelberry
(thanks, Bharath)
Must-read article on the TSA (via Schneier).
I hope, whomever wins this election, really cleans up this ridiculousness.
Alex Eckelberry
Google now warning vulnerable site owners that they need to patch.
Alex Eckelberry
This site is a sister to WiniGuard, a rogue antispyware program related to Innovagest 2000… a noted bad actor…
However, there are no downloadable binaries. Something to keep an eye on, though.
Just to put this into context, we’ve seen the Innovagest gang around some really horrific products, like Antivirus XP 2008, XP Antivirus — and much more.
Alex Eckelberry
(Thanks Bharath)
If you get this Friend Request in MySpace, it’s not a good one.
Here’s the profile page:
However, clicking on the page brings up this oddball page:
Notice the use of a “translate” page on Google. Possible a new redirect type of activity to avoid filters…
The page pushes a Zlob fake codec variant, disguised at a “MySpace Profile Object”.
Thanks to Big R, a security researcher, for this catch.
Alex Eckelberry
There’s something in the tapwater in the area, as Tampa Bay Magazine just decided to nominate me as a CEO of the Year.
I think they have me confused with another Eckelberry.
Prediction: My name will be shortlived on their website. Only a matter of time.
Alex
Marco Giorgini, a grad student, has been working on his thesis on consumer perceptions of antivirus software.
He has a survey up, here. Feel free to take the survey and make your voice heard.
(I also recently did a similar survey.)
Alex Eckelberry
ZlobTrojan Distributing site:
91.203.92.11 Medialibsms. com
Scam Internet Security Page:
91.203.92.11 Ahomepagepark. com
404ErrorpageScam:
91.203.92.11 Whyisdnserror. com
Security Guide Scam Page:
91.203.92.12 Scdesktopicons. com
Ad-Server-Gate Pages:
91.203.92.11 Cxdgl. com
91.203.92.11 Jhgpq. com
Protection Center Scam Page:
91.203.92.12 Asecurenotification. com
Scam Security Toolbar site:
91.203.92.12 Protectiontoolbars. com
IE AntiSpywareStore site:
208.72.168.94 Howtoiexplorer. com
Bharath M N
AOL has contacted me about my blog post and is taking down the pages. I’ve shared with them additional pages as well.
All in all, impressive alacrity and willingness to fix the problem. Thanks AOL.
(Btw, some may have been confused by my headline (“non-benign neglect”). And their confusion would have been justified: It was an error in a play on words on Salutory Neglect, not on “benign neglect”, which brings forth a less desirable connotation.)
Alex Eckelberry
I like Secunia, so no hard feelings from our side.
But truly, this test they published the other day, showing that “security suites fail exploit tests” is a silly and useless PR stunt. I think they were just trying to get some news for their business of patch scanning or something, and decided to kick the AV players around for fun.
Testing guru Andreas Marx of AV-Test.org pretty much sums up the issues with it:
– Some critical details are missing, for example, the time of the last update of the scanners, the exact product versions, and the like.
– Only the on-demand scanner and the on-access guard was tested, so it was only checked if the file-scanner would trigger an alert.
– The paper also speaks about a test with html/web pages, but I cannot see a single test case for the part in the review (is it missing or was it excluded?)
The “scan some files only” part especially concerns me, as only one out of many built-in security features of a suite was tested (but it’s very fast: such a test might just take a minute or two completing, for scanning the entire set of files).
In most cases, it is simply not practical to scan all data files for possible exploits, as it would slow-down the scan speed dramatically. Instead of this, most companies focuse on some widely used file-based exploits (like the ANI exploits) and some companies also remove the detection of such exploits after some time has passed by (as most users should have patched their systems in the meantime and in order to avoid more slow-downs).
There are a lot more practical solutions built-in to security suites, like the URL filter (which checks and blocks known URLs which are hosting malware or phishing websites) and the exploit filter in the browser (which would also block access to many “bad” websites). Some tools also have virtualization and buffer/stack/heap overflow protection mechanisms included, too.
Then we have the traditional “scanner” — and even if some exploit code gets executed, a HIPS, IDS or personal firewall system might be able to block the attack. For example, some security suites are knowing that Word, Excel or WinAmp won’t write EXE files to disk — so potentially dropped malware cannot get executed and the system is left in a “good” state.
A few weeks back, I’ve written the following text for our own test report:
“A comprehensive review should not only concentrate on detection scores of the on-demand scanner, as this would give a user only a very misleading and limited view of the product’s capabilities.”
When comparing the security of cars, we would not only focus on the
safety belts, but also check the ABS system (anti-lock braking system), one or more airbags, crush zones, the ESP (electronic stabilization program) as well as constructional changes and many other features which make a car secure. The different detection types have to be taken together to make a valid statement about the whole detection mechanisms: neither static nor proactive detection mechanisms alone can catch all malware.It is important to have good heuristics, generic signatures and dynamic
detection and prevention in place to be able to handle new unknown malware without any updates. It is crucial to have good response times, to be able to react to new malware, when proactive mechanisms fail to detect them. It is essential to have good static detection rates, to be able to handle already known malware, even before it is executed on a system. So comparing single features makes less sense, as we should think about the fact that a user has not bought an AV product to find some viruses and report them, but he has actually bought a service to keep his system malware-free.”Therefore, a better test setup would be to actually have the vulnerable applications installed on the test PC, together with the security suite. (BTW: I’m sure, no user would have all of the different applications on Secunia’s list on his PC — so one might concentrate on the most recent or most widespread exploits only.) Then the tester would need to trigger the exploit, and see if the machine was exploited successfully or not. (Please note that the scanner or guard might not be able to see a file at all, if it’s a memory-based exploit, so the quoted detection rates might not even be relevant in some cases, as no files are written to disk.)
This would actually a much more interesting and relevant test which is really focusing on the entire suites’ features and not only on the “traditional” scanner part of an AV product. A few more points are mentioned in two papers, published by AMTSO, the Anti-Malware Testing Standards Organization.
Alex Eckelberry
Nothing really new here but I figured I’d say something on the subject: AOL has some malware floating around.
Some examples:
AOL’s German Hometown page has a number of pages that redirect to rogue antivirus programs like Antivirus XP (note that AOL does plan to discontinue to Hometown, so that’s a help):
hometown aol de/xotueqkgqivyh/software_project_management_tool_jam html
hometown aol de/xotueqkgqivyh/how_to_download_sql_server_2000_service_pack_4 html
hometown aol de/wquvwlhiyqtdq/mercury_outboard_force html
hometown aol de/wquvwlhiyqtdq/lexus_of_orland_park html
hometown aol de/qkirjaqrxotue/www_recumbentbicycles html
hometown aol de/qkirjaqrxotue/www_locumtenensusa_com html
hometown aol de/qkirjaqrxotue/tupulove_tu144 html
hometown aol de/qkirjaqrxotue/tortured_girl html
hometown aol de/qkirjaqrxotue/sue_summerfield_sex html
hometown aol de/qkirjaqrxotue/sexual_fanatasy html
hometown aol de/qkirjaqrxotue/sex_pretoria html
hometown aol de/qkirjaqrxotue/sex_positon html
hometown aol de/qkirjaqrxotue/punk_styles_for_girls html
hometown aol de/qkirjaqrxotue/preteen_portal html
hometown aol de/qkirjaqrxotue/pink_vids_porn_ebony html
hometown aol de/qkirjaqrxotue/nude_women_dog html
hometown aol de/qkirjaqrxotue/nude_preteen_boys_sex html
hometown aol de/qkirjaqrxotue/nasty_girl___jadakiss html
hometown aol de/qkirjaqrxotue/messy_girls html
hometown aol de/qkirjaqrxotue/lesbian html
hometown aol de/qkirjaqrxotue/latin_teens_nude html
hometown aol de/qkirjaqrxotue/kayla_nicole_brenneman html
hometown aol de/qkirjaqrxotue/inset_porn html
hometown aol de/qkirjaqrxotue/incest_gay_twin_male html
hometown aol de/qkirjaqrxotue/hare_core_porn_stars html
hometown aol de/qkirjaqrxotue/girls_rule html
hometown aol de/qkirjaqrxotue/girls_night_ideas html
hometown aol de/qkirjaqrxotue/gcpd___corporal html
hometown aol de/qkirjaqrxotue/gay_roommate_porn html
hometown aol de/qkirjaqrxotue/fetishism_definition html
hometown aol de/qkirjaqrxotue/extra_marital_sex html
hometown aol de/qkirjaqrxotue/dorian_eltanal html
hometown aol de/qkirjaqrxotue/coral_bay_wa html
hometown aol de/qkirjaqrxotue/cockoldhusbands html
hometown aol de/qkirjaqrxotue/cockfighting_gamecocks html
hometown aol de/qkirjaqrxotue/circumvent__s html
hometown aol de/qkirjaqrxotue/busty_ebony_secretary html
hometown aol de/qkirjaqrxotue/brittany_cummings html
hometown aol de/qkirjaqrxotue/anne_woodcock html
hometown aol de/qkirjaqrxotue/analytic_function html
hometown aol de/aautnirpkzjuk/netbui_being_used_by_unix_printing html
hometown aol de/aautnirpkzjuk/download_terminator_2__judgment_day_for_amiga_free html
hometown aol de/aautnirpkzjuk/download_free_fire_red_pokemon html
And the US site shows a bunch of junk as well:
hometown aol com/ZaneDelacruz42/teenage-sex-vid html
hometown aol com/ValeriaBall85/best-adult-joke html
hometown aol com/russellroon67/article-dr -adam-harris html
hometown aol com/RodneyLevine37/scooter-sex-dwarf html
hometown aol com/richardhaet62/index html
hometown aol com/NonaMorton70/asian-fanatic-radio html
hometown aol com/milomcclure/index html
hometown aol com/MelvaLucas16/ebony-rimming html
hometown aol com/LincolnWynn32/khan-fishies-fuck html
hometown aol com/JuliaOneill69/best-boners-boner html
hometown aol com/JuliaOneill69/best-ass-kiera html
hometown aol com/JennyHooper34/nhl-uniforms html
hometown aol com/JanetParker74/fisting-alsha html
hometown aol com/GeorgeRush68/picture-hardcore html
hometown aol com/florencerand36/lawrence-co -oh-government html
hometown aol com/ErvinJohnson67/motel-sluts html
hometown aol com/DesmondDuke49/funny-sexy-pitures html
hometown aol com/DeanMcintosh74/huge-horse-cum html
hometown aol com/DarinJackson32/dressing-woman html
hometown aol com/BriceFlowers48/boobs-and-bellies html
hometown aol com/biggerx98y/medical-penis-photo html
hometown aol com/BartTalley70/australia-porno html
hometown aol com/AvaMelton38/jessica-barton-nude html
hometown aol com/AntonBarrett40/big-and-tit html
hometown aol com/AlonzoDuke36/chat-de-porn-video html
And Journals…
journals aol com/ykyhexeaxo/jaliyah/entries/2008/10/11/driving-safe-with-bluetooth-headsets/3302
journals aol com/uleujpaax/felicia/entries/2008/10/11/is-sex-safe-losing-mucus-plug/652
journals aol com/SweetJ686/Elisabeth13
journals aol com/stmstmstm/Stephanie99
journals aol com/stevejones280361/Charlotte87
journals aol com/stenctull/Alberta24
journals aol com/stebooth2/Charlotte44
journals aol com/solracd/Tara71
journals aol com/nuvosarude/alfred/entries/2008/10/11/is-it-safe-to-steam-clean-your-car/4663
journals aol com/nagyzcujba/brodie/entries/2008/10/08/where-can-i-look-at-houses-for-sale-online/3286
journals aol com/marcelahot19/ryder-cup-ryder-cup-2008/entries/2008/10/06/lego-history-blindekuh/2522
journals aol com/lyndseyonly20/marc-zumberg-mark-zomberg/entries/2008/10/08/anthony-rakis-hawaiian-tropic-zone/2419
journals aol com/iamwhoiam676/KraziethoughtsfromaKrazieGurl/
journals aol com/hardmovieboy/blog/entries/2008/10/11/india-australia-live-streaming/1432
journals aol com/hardmovieboy/blog/entries/2008/10/11/history-of-the-world-part-1/1430
journals aol com/hardmovieboy/blog/entries/2008/10/08/asian-ass-porn/1202
Of course, there’s still the problem with Google Groups (and others), turning out loads of junk. So AOL isn’t alone in this malware fest.
Alex Eckelberry
Columbus, Ohio police officer Ken Braden has been reprimanded for not writing enough traffic tickets.
However, he’s tied for making the most criminal arrests.
Priorities, people. Priorities.
Alex Eckelberry
A bit of dark humor in what is a patently awful situation.
Alex Eckelberry
Zlob Trojan Distributing site:
91.203.92.11 Movsmedia. com
Scam Internet Security Page:
91.203.92.12 Homepageonweb. com
404ErrorpageScam:
91.203.92.12 Misdnspage. com
Security Guide Scam Page:
91.203.92.12 Websclinks. com
Ad-Server-Gate Pages:
91.203.92.12 Qpwoi. com
91.203.92.12 Ghjfd. com
Protection Center Scam Page:
91.203.92.11 Securefires. com
Scam Security Toolbar site:
91.203.92.11 Safetybargoal. com
IE AntiSpywareStore site:
208.72.168.84 Ietoolsupdate. com
As we always say please stay clear of these sites.
Bharath M N
Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009.
Thanks to Patrick Jordan for the detailed historical information about this rogue family.
217.20.175.74 Av2010. net
The rogue application uses the same old tricks to lure users into purchasing their worthless application.
Fake Windows Security Center
Fake BSOD
Bharath M N
Thanks to Patrick Jordan for the Rogue update.
XP AntiSpyware 2009 is a clone of WinReanimator and XPSecurityCenter rogues.
This group of rogue security products are usually pushed through Trojan-Downloader.braviax or Trojan.fakealert Trojan.
Fake Windows security Center
206.161.120.20 Xp-antispyware2009. com
206.161.120.21 Xp-antispyware-2009. com
206.161.120.22 Xpantispyware-2009. com
206.161.120.23 Xpas2009. com
206.161.120.24 Xp-as-2009. com
Bharath M N
