Another fake-av site detected..

Hi malware fighters,

Fake-av found here:
Here is a complete list:

Threat Name: Trojan.FakeAV!gen24
Location: htxp://052a55.topwestsecure.com/download/DistAV_2013_b8.exe

Threat Name: Trojan.FakeAV!gen24
Location: htxp://f1e0c0.topwestsecure.com/download/DistAV_2013_b7.exe
Re: http://www.virustotal.com/analisis/f8ae332e594ad0ac2dcec58a9f3ad0f831b6d62ee4c0e0300d8df81e8548adde-1275605281
See: htxp://jsunpack.jeek.org/dec/go?report=8b7aed3a9e6d72e4b11f28a3673cc682296b3d54

Threat Name: Trojan.FakeAV!gen24
Location: htxp://ba38c4.topwestsecure.com/download/DistAV_2013_b8.exe
http://www.prevx.com/filenames/975799710197341493-X1/DISTAV_2013_B8[1].EXE.html

See: http://www.browserdefender.com/site/topwestsecure.com/
Trend Micro: This URL is currently listed as malicious.

polonus

thank you for detail information, detection and URL block will be in next VPS update

Hi malware fighters,

Another Polish fake av spreading site: shamanshop*pl

5 instances of it being found up: #

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/nate+berkus+show.html

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/danny+aiello.html

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/hostmonster.html

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/david+gallagher.html

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/snapgrades+login.html

Two redirects found there: 302 → htxp://shamanshop.pl/sklep
301 → hxtp://shamanshop.pl/sklep/
redirecting scheme: htxp://shamanshop.pl/ redirects to hxtp://shamanshop.pl/sklep

htxp://shamanshop.pl/sklep redirects to htxp://shamanshop.pl/sklep/

polonus

Another one here:
HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=gabe%20saporta%20arrested

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=summer%20jam%202010%20denver

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=mtv%20music%20awards%202010

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://mygoodoldwebsite.com/ezsee.php?t=dean%20s%20blue%20hole

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=blossom%20music%20center%20website

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://mygoodoldwebsite.com/ezsee.php?t=ken%20jeong%20wiki

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=us%20open%20tennis%202010%20ticket%20prices

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=blank%20check

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=wakeboard%20sizing

Threat Name: HTTP Fake AV Redirect Request
Location: http://mygoodoldwebsite.com/ezsee.php?t=uncle%20phil%20shredder

polonus

Hi malware fighters, another fake AV redirecting site to include…
2010-06-12 23:14:18 (GMT 1)
Website schuiling*net
Domain Hash 9c082f0a211d3fc7877cc13d7742c219
IP Address 69.89.22.118
IP Hostname box118.bluehost.com
IP Country US (United States)
AS Number 11798
AS Name BLUEHOST-AS - Bluehost Inc.
Detections 2 / 20 (10 %)

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=peruvian%20prisons

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=prop%2016%20polling

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=puzzle%20pirates%20forums

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=realm%20status%20addon

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=robert%20mutt%20lange%20and%20marie-anne%20thiebaud

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=strasburg

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://schuiling.net/qamju.php?on=taboo%20black%20eyed%20peas%20son

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=us%20open%20tennis%202010%20american%20express

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=virtual%20retinal%20display%20pdf

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=world%20cup%20brackets
presents us with a double redirect, after a failure:
STATUS suspicious…

polonus

As always, good work, D. !!
Thanks, friend…!
asyn

The Fake scanner is gone, the redirect goes to CNN… ???

And another recent one with 55 threats found,

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=hood%20county%20texas%20tax%20assessor

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20act

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20law

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=iphone%204%20verizon%20release%20date

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=jaleel%20white%20death

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=liberty%20bell%20facts

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=libertybellbank.com

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=lil%20boosie%20death%20penalty

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=mario%20treadway%20aka%20mc%20souleye

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=mlb%20draft%202010%20rankings

polonus

Will also send you to CNN … :-\ ???

CNN, the new haven of malware…?? ;D
asyn

Well Pondus,

I was re-directed there twice going through the request in malzilla, well here is yesterday’s score:
2010/06/11_07:42 firtullgone.com/uy/avs.exe 95.211.29.19 hosted-by.leaseweb.com. fake av Broupun Banker () / bofjosorupATmaila.com 16265
2010/06/11_07:42 wXw.fast-scanneronline.org/installer.0022.exe 91.188.60.3 - fake av Irving Roberson / robersonAThotmail.com 6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09 hibatavay.cn/pr.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 core2979.hibatavay.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 wXw.beautifulsecurityscan.com/ms03/ad 91.212.127.19 - fake av Robert Watkins robertwatkinsAThotmailbox.com 49087
2010/06/06_16:37 core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979 173.212.245.90 173-212-245-90.hostnoc.net. fake av contactATprivacyprotect.org 21788
2010/06/06_16:37 core2979.davirijan.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753

pol

Maybe malware news … ;D

jepp. those contained malware. Already collected and submited … :wink:

Would be news worth to watch…! ;D
asyn

Hi Asyn,

This is the latest malware craze infected CNN adbanner code ;D
This all in fun, but it is a reality that no code is left alone by the malcreants to scheme another obfuscated injection scheme, the Internet is becoming a scary place for webmaster that want to keep their website’s code clean,

polonus

I know that only too well. :wink:
asyn

Hi malware fighters,

Another one reported here:
Website westernwinds.net
Domain Hash f75afbc2b730096197625b5e49c7a496
IP Address 66.96.130.112 [SCAN]
IP Hostname 112.130.96.66.static.eigbox.net
IP Country US (United States)
AS Number 29873
AS Name BIZLAND-SD - The Endurance International Grou…
Detections 2 / 18 (11 %)
Status SUSPICIOUS

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=obama%20address%20to%20students%20transcript

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=pic%20hunter

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=rick%20rubin%20myspace

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20crossword

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20newspaper

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=spirit%20airline%20strike

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=svk

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=swype%20for%20iphone

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=tony%20award%20winners%202009

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=watch%20true%20blood%20online%20for%20free%20streaming

Redirecting to cnn.com again
Here is where it happens

 info: [decodingLevel=1] found JavaScript
     error: line:4: SyntaxError: missing ] after element list:
          error: line:4:      [native code]
          error: line:4: ................^

polonus

Hi malware fighters,

A recent list from Malware Domain List for fake av:
http://www.malwaredomainlist.com/mdl.php?search=fake+av&colsearch=All&quantity=50

One example given in here: spinpoll.com/iuqdx/qttbbm.php?ff=826284
results
http://scanner.novirusthanks.org/analysis/561d310ada76abefafa70c2afb1f7a10/cXR0YmJtLnBocA==/
http://wepawet.iseclab.org/view.php?hash=0372e8bf9a1d75e118b18830d4ea85fb&t=1276780197&type=js

Triggered code has been made unobtrusive and is legit here,
but the ways in which it can be exploited are obvious,
read: http://www.alstevens.co.uk/a-less-obtrusive-google-analytics-script/
How it recently was exploited read here: http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/

polonus

Hi malware fighters,

Here is a report about the way the malware is being injected via cross site scripting:
http://cyberinsecure.com/high-ranking-websites-spread-malware-through-cross-site-scripting-vulnerabilities/
It’s embedding iframes to redirect and [quote] [=/quote]The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5.eu (do not visit, see: http://www.siteadvisor.com/sites/ask5.eu ), and 1 suspicious inline script found, for this script see: http://jsunpack.jeek.org/dec/go?report=b413e5b967fa38a1d2dea332d601417ac034c41d with a undefined function parent.location.replace
to an apparent pr0n site…

A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.

While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.

The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below): http://cyberinsecure.com/wp-content/uploads/2009/12/xss.png (click to enlarge)
[=/quote]

polonus

Fake AV,

A good read-up on the subject can be found here: http://www.usenix.org/event/leet10/tech/full_papers/Rajab.pdf
(advized by Google coders)

polonus