<![CDATA[[SecurityRatty] tag: avsystemcare]]> http://securityratty.com/tag/avsystemcare Fri, 07 Dec 2007 12:16:07 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Localized Fake Security Software]]> http://securityratty.com/article/9c5cb4449d66fbad44e6fe61693c2485 http://securityratty.com/article/9c5cb4449d66fbad44e6fe61693c2485 Would you believe that in times when top tier antivirus vendors are feeling the heat from the malware authors' DoS attacks on their honeyfarms, and literally cannot keep up with their releases, someone out there is using an antivirus scanner that doesn't really exist? It's one thing to promote fake security software in a one-to-many communication channel by using a single language in a combination with cybersquatted domains, and entirely another to do the same in different languages. Localization for anything malicious is already taking place, as originally anticipated as an emerging trend back in 2006. The following currently active fake security software scams are promoted in Dutch, French, German, Italian, and you don't get to download them until you hand out your credit card details, and once you do so, you'll end up in the same situation just like many other people did in the past. Some sample fake brands :

SpyGuardPro; PCSecureSystem; AntiWorm2008; WinSecureAv; MenaceRescue; PCVirusless; LifeLongPC; NoChanceForVirus; MenaceMonitor; TrojansFilter; TrojansFilter; LongLifePC; KnowHowProtection; BestsellerAntivirus; PCVirusSweeper; AVSystemCare; AVSecurityPlus; AVSecurityPlus; PCAssertor; PoseidonAntivirus; TrustedAntivirus; PCBoosterPro; DefensiveSystem; GoldenAntiSpy; AntiSpywareSuite; AntiMalwareShield; AntivirusPCSuite; AntivirusForAll; TrustedProtection; NoWayVirus; AntiSpywareConductor; AntiSpywareMaster; TurnkeyAntiVirus; YourSystemGuard;

Portfolio one :

alfaantivirus.com
antivirusalmassimo.com
farrevirus.com
fomputervagt.com
figitalerschutz.com
flmejorcuidado.com
ferramentantivirus.com
filterprogram.com
filtredevirus.com
geeninfectie.com
harddrivefilter.com
keineinfektionen.com
longueviepc.com
maseg.net
nonstopantivirus.com
pcantivirenloesung.com
pcsystemschutz.com
plutoantivirus.com
psbeveiligingssysteem.com
riendevirus.com
securepcguard.com
sekyuritikojo.com
sistemadedefensa.com
sumejorantivirus.com
totaltrygghet.com
viruscontrolleuer.com
viruswacht.com
votremeilleurantivirus.com
zeusantivirus.com

Portfolio two :

advancedcleaner.com
alltiettantivirus.com
antispionage.com
antispionagepro.com
antispypremium.com
antispywarecontrol.com
antispywaresuite.com
antiver2008.com
antivirusaskeladd.com
antivirusfiable.com
antivirusforall.com
antivirusforalla.com
antivirusfueralle.com
antivirusgenial.com
antivirusmagique.com
antivirusordi.com
antivirusparatodos.com
antiviruspcpakke.com
antiviruspcsuite.com
antiviruspertutti.com
antivirusscherm.com
antiworm2008.com
antiwurm2008.com
archivoprotector.com
avsystemcare.com
avsystemshield.com
barrevirus.com
bastioneantivirus.com
bestsellerantivirus.com
bortmedvirus.com
cerovirus.com
debellaworm2008.com
defensaantimalware.com
defensaantivirus.com
drivedefender.com
exterminadordevirus.com
fiksdinpc.com
mijnantivirus.com
mobileantiviruspro.com
norwayvirus.com
nowayvirus.com
pcantivirenloesung.com
plutoantivirus.com
viruscontrolleuer.com
zebraantivirus.com
zeusantivirus.com

Portfolio three :

pcsecuresystem.com
antiworm2008.com
winsecureav.com
menacerescue.com
pcvirusless.com
lifelongpc.com
nochanceforvirus.com
menacemonitor.com
trojansfilter.com
longlifepc.com
knowhowprotection.com
bestsellerantivirus.com
pcvirussweeper.com
antiespiadorado.com
avsecurityplus.com
apolloantivirus.com
pcassertor.com
menacesecure.com
poseidonantivirus.com
trustedantivirus.net
pcboosterpro.com
defensivesystem.com
goldenantispy.com
avsystemcare.com
trustedantivirus.com
antimalwareshield.com
avsystemcare.com
antiviruspcsuite.com
antivirusforall.com
trustedprotection.com
nowayvirus.com
pcantiviruspro.com
antispywareconductor.com
antispywaremaster.com
turnkeyantivirus.com
yoursystemguard.com

Just like a previous proactive incident response where I pointed out that these fake security applications are starting to appear as the final output in malicious campaigns injected
at high profile sites, ensuring that your customers or infrastructure cannot connect to these, will render current and upcoming massive IFRAME injected or embedded attacks pointless at least from the perspective of serving the rogue software.
]]> Mon, 14 Apr 2008 04:04:53 +0000 avsystemcare antiworm2008 malicious fake security applications portfolio malicious campaigns sample fake brands antivirusforall one-to-many communication channel Localized Fake Security Software <![CDATA[A Diverse Portfolio of Fake Security Software]]> http://securityratty.com/article/9cb7b9731273f3926636a1326ee71a35 http://securityratty.com/article/9cb7b9731273f3926636a1326ee71a35 The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.

Who's hosting the malware and what directory structure per campaign do they use?

It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :

content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe
content.onerateld.com/avsystemcare.com/AVSystemCare/install_en.exe
content.onerateld.com/winsecureav.com/WinSecureAv/install_en.exe
content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe
content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe
content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install_en.exe

Therefore, if you have secureyourpc.com the directory structure would be /SecureYourPC.com/SecureYourPC/install_en.exe

Sample domains portfolio of digitally alike samples of each of these :

antivirusfiable.com
antivirusmagique.com
bastioneantivirus.com
gubbishremover.com
pchealthkeeper.com
securepccleaner.com
storageprotector.com
trustedprotection.com
yourprivacyguard.com

DNS servers further expanding the domains portfolio :

ns1.bestsellerantivirus.com
ns2.bestsellerantivirus.com
ns3.bestsellerantivirus.com
ns4.bestsellerantivirus.com
ns1.onerateld.com
ns2.onerateld.com

Main portfolio domain farm IPs :

- 87.117.252.11
- 85.12.60.22
- 85.12.60.11
- 85.12.60.30

Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.
]]> Fri, 07 Dec 2007 12:16:07 +0000 domains portfolio domains portfolio sample domains portfolio fake security software software onerateld content exe A Diverse Portfolio of Fake Security Software