Computer Security Articles

Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that pretend to be updates to Adobe Flash. When Antivirus Center is installed onto a computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan of your computer and then state that there are numerous infections present. If you attempt to remove any of these so-called infections with the program it will state that it is unable to do so until you purchase it. As none of the infection files actually exist on your computer, please disregard these scan results and do not purchase the program.

Antivirus Center screen shot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

While Antivirus Center is running it will also display numerous fake security alerts warnings that are designed to make you think that your computer has a severe security problem. The text of these messages are:

Antivirus Center
Your system has come under attack of harmful software. Click here to deactivate it.

Antivirus Center
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs.

Antivirus Center
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Antivirus Center.

Antivirus Center Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Antivirus Center Firewall Alert
Antivirus Center has prevent a program from accessing the Internet.
“iexplore.exe” is infected with Trojan. This worm has tried to use “iexplore.exe” to connect to remove host and send your credit card information.

Antivirus Center Firewall Alert
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.
Attacker IP: <ip address>
Attack type: RCPT exploit

Antivirus Center
Your computer is under the infections threat. Run instant shield protection to safe your data and prevent internet access to your credit card information. Select this to run instant shield.

Antivirus Center Firewall Alert
Warning
Keylogger activity detected!
Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended)

Just like the scan results, all of these warnings are fake and should be ignored.

As you can see, Antivirus Center was created for one reason; to scare you into thinking your computer is infected so that you will then purchase the program. For no reason should you purchase Antivirus Center, and if you already have, you should contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove this infection, and related malware, please use the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus Center files.
View Antivirus Center Registry Information.

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [<random numbers and characters>] rundll32.exe “C:\Documents and Settings\All Users\Application Data\<random numbers and characters>.dat”, <random characters> 04/29/11 – Initial guide creation.

Guide Updates:

04/29/11 – Initial guide creation.

Automated Removal Instructions for Antivirus Center using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Center related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Center removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus Center program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated Antivirus Center Files:

%AllUsersProfile%\Application Data\<random numbers and characters>.dat
%AllUsersProfile%\Application Data\<random numbers and characters>.ico
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Center.lnk
%UserProfile%\Desktop\Antivirus Center.lnk
%Temp%\ins2.tmp
%Temp%\mv3.tmp
%Temp%\wrk4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

Associated Antivirus Center Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\rundll32.exe” = ‘C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random numbers and characters>”

Real-world events occasionally generate a massive number of online searches. Japan’s recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the world’s attention to Google. And as topics trend in Google’s search results, Search Engine Optimization (SEO) attacks are attempted. Our March 11th post urged caution while searching for information.

The post also noted that Google has been doing a pretty good job of keeping SEO attacks at bay and filtered out of their search results. Web results that is.

Since October of last year, we’ve seen a steady growth in image based SEO attacks. Because Google is winning the (cat and mouse) battle against malicious site SEO, some attackers have shifted to image searches. Image based SEO attacks are more of a technical challenge. Instead of following trends and then connecting to a hosted attack site, the attacker must instead connect a trending topic to a particular image, and then link that image to a compromised site, which then links to the attacker’s site.

It’s a fascinating evolution that our Threat Insights team has been investigating.

But we’ll provide more details about that in a future post.

Today, we want to mention what’s likely to be a heavily searched for image tomorrow, Kate Middleton’s wedding dress.

People aren’t simply going to want to read about the wedding of Prince William and Kate Middleton, they’re going to want to see it. And so tomorrow, we expect Google’s image search to be more popular than ever.

We’re already seeing some “royal wedding coverage” SEO attacks.

Here’s an example which includes some well known footballers in the results:



The image is called “0611-soccer-studs1-credit.jpg” is linked to “lingerie-now-com”.

Google’s preview is loaded in the front, while the host site is loaded in the background.



What happens next is that the background site is linked to the attack site, which takes over the page and displays a warning message, an attempted scareware attack.



You can see the linkages here:



The site then renders an animated “Online Scan”:



All of the results are nonsense of course, this example is from a clean test machine:



Unfortunately, SEO driven scareware attacks are very successful, relatively speaking. Consumers have been scammed out of millions of dollars by this type of attack.

So be wary of this potential threat if you’re among those searching for wedding pictures.



Goggle’s Web search result for “royal wedding” places the couple’s official site at the top of the page.

And here’s another timely example of an image based SEO attack targeting those that searched for US President Barak Obama’s birth certificate, which was released by the White House yesterday, from GFI Labs’ Christopher Boyd.

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

• http://rnzrrljt.co.cc/[censored]
• http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011″.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.

Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.  Websense Security LabsT and the Websense ThreatSeekerR Network recently came across an e-card themed email.  Our customers are protected from this threat by ACE, our Advanced Classification Engine.

Let us first look at the sample email.  The URLs used in the emails are either compromised sites or were only created barely two weeks ago.

Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently



Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL  which you can see on Screen shot 3.

Screen shot 2 : Obfuscated code of the URL that came with the email

Screen shot 3 : Deobfuscated code of the URL from the email.

The contents of the URL specified in the iframe contains another obfuscated script.  This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim’s machine.

Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection

Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.

Screen shot 5 : Snapshot of the malicious website used in the email

Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
 

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

 
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info-created on January 14, 2011-before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
 

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <souvenir@yahveh.permissionalert.com>
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring” <royalring@yinstenarm.com>
From: “British Heirloom Ring” <royalring@yinstenarm.com>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
 

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos” and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

 
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

.    william and kate movie cast
.    prince charles age
.    princess diana death facts
.    prince harry last name
.    william and kate movie on lifetime
.    royal wedding guest list bush
.    royal wedding guest list snubs
.    prince charles siblings
.    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques-such as keyword stuffing, cloaking, and link farming-to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below-as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
            
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and-shockingly-that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

—————————————

Note: This blog has been researched and written by Symantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

You probably saw that whole “Obama birth certificate” thing yesterday.

You’re also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.

The first page of Google Image Search:


Click to Enlarge

That one in the middle was (until a little while ago) using a java exploit to install the Security Shield rogue.


Click to Enlarge


Click to Enlarge

You may want to avoid both tdssdt45(dot)cz(dot)cc and lopasana32(dot)cz(dot)cc. VirusTotal currently gives us 10/42, and we detect it as FraudTool.Win32.MSRemovalTool.ek!a (v).

Elsewhere, we have more rogue action – our old friend bestrxfinder(dot)com served up another search engine site, topdaofinder(dot)com, which directed the end-user to freemobilescannerprotection(dot)com after clicking on a search result. You wanted a birth certificate, you ended up with XP Anti-Spyware 2011.


Click to Enlarge

Whoops. We catch that one as FraudTool.Win32.FakeRean.d(v). Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).

Thanks to Matthew, Adam and Patrick.

Christopher Boyd

In our previous FAKEAV whitepaper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and classified its development, behavior-wise, according to generations. One of the early generations listed in the paper can be recalled as the DLL-based FAKEAV (4th Generation) – a FAKEAV group that uses a DLL file to perform all the malicious routines, primarily to avoid being terminated easily. A few months ago, however, we saw this particular generation again making its rounds in the wild, one of which we detect as TROJ_FAKEAV.BTV.

In terms of appearance, 4th generation FAKEAV does not have any particular difference from other FAKEAV generations. However, in the background, can be characterized with the considerably big file size of the DLL component (samples of TROJ_FAKEAV.BTV are around 1.50MB in size). This is because the fake pop-ups, GUIs, and other scareware modules are all contained in the DLL.

FAKEAV as a Whole

Understanding how FAKEAV progressed over the years, it isn’t particularly surprising to see variants of 4th Generation FAKEAV back in the wild. For the most part we see them updating visually, rather than evolving technically. The bad guys knew that all it takes to maintain their steady supply of victims is to update the (rogue) antivirus software name and do some re-designing in their GUIs – a reason why we see so many FAKEAV GUIs today.

In parallel with these software name updates, FAKEAV also updates its registry, file, and folder names in order to evade string-based AV solutions. Nevertheless regardless of how they update, strings will continue to be a weak point of the FAKEAV family. From it, antivirus researchers can craft generic rules/patterns for memory, process, file, and registry scanning/cleaning.

As such, we will continue to devote our time and effort to closely monitor prominent threats like the FAKEAV family, as well as provide adequate solutions to users. We advise users to keep themselves informed of the developments concerning threats such as FAKEAV, as well as to familiarize themselves with the nature of attacks. Users may refer to the guide we published last year, FAKEAV 101: How To Tell If Your Antivirus Is Fake.

Also,more information on the 4th Generation FAKEAV, as well as the other generations, is available in our report, The Dangers Rogue Antivirus Threats Pose.

Ah, Kate. When she isn’t waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog located at katemiddleton997(dot)typepad(dot)com:


Click to Enlarge

She also wants you to check out her movie clip. Unfortunately, this movie clip can’t be viewed unless you update your version of Flash. Alarm bells ringing yet?


Click to Enlarge

I’m not entirely convinced legit installs of Adobe Flash Player come from pornmovie(dot)cz(dot)cc, but in the mad dash to see some rich people larking about with money you’ll actually end up with AntiVirus AntiSpyware 2011 on your computer:


Click to Enlarge

Reports that every tenth install come with a Wills & Kate towel set are unconfirmed, but you definitely don’t want to commemorate the wedding with a Fake AV program.

Christopher Boyd (Thanks Patrick)

In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down… by Facebook.

The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos’s own Facebook community.

On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:

@ScamSniper
Scam Sniper
Notice: The Sniper Has Been Shot. Facebook Disables The Admins Of The Facebook Fan Page Scam Sniper. http://goo.gl/RdlVF
April 18, 2011 3:26 pm via webReplyRetweetFavorite

Later that day, the same fate befell The Bulldog Estate’s Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move:

@bulldognk
The BULLDOG Estate
The BULLDOG Estate Facebook Page Has been Closed by Facebook, They Dont Like bad press, Watch… http://goo.gl/fb/K3ODY
April 18, 2011 11:42 pm via GoogleReplyRetweetFavorite

The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn’t had the same luck.

Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate’s Facebook page was closed, and how it might be recovered.

Today Mazan received a standard response from Facebook, which still wasn’t specific about the reasons that The Bulldog Estate’s Facebook presence had been killed off:

"Hi Tony

You created a Page that has violated our Statement of Rights and Responsibilities, and this Page has been removed. Facebook Pages may only be set up for the purpose of promoting a business or other commercial, political, or charitable organization or endeavor (including non-profit organizations, political campaigns, bands and celebrities), and only by an authorized representative of the entity or individual that is the subject of the Facebook Page. By creating a Facebook Page, you represent and warrant that you are authorized to do so by the person or entity that is the subject of the Facebook Page. Among other violations, Pages that are hateful, threatening, or obscene are not allowed. We also take down Pages that attack an individual or group or that promote or glorify violence, intolerance, racism or discrimination. Continued misuse of Facebook's features could result in your account being disabled."

This “explanation” clearly hasn’t satisfied the many fans of The Bulldog Estate, who have created pages urging Facebook to reinstate The Bulldog Estate, and left messages on Facebook’s official safety pages.

“We helped countless members on Facebook and supported Facebook in trying to help Facebook users stay safe online, We do not advertise or make money from our help, our blog writers are volunteers, and our admins are volunteers,” Tony Mazan of The Bulldog Estate told Naked Security. “What we can not understand is why Facebook removed a real help group and yet there are thousands of rogue applications, thousands of hate filled pages, thousand of fake profiles. We are as real as it gets and get shut down.”

“Is it because Facebook security never gets comments like ‘We Love you’ or ‘thanks for always alerting us on time with user-friendly information’,” continued Mazan. “As one of our supporters said – you may shut the dog outside, but you will never silence the bark.”

Although the language used on The Bulldog Estate’s website doesn’t beat around the bush, it seems clear to me that the content they produce is beneficial and helps Facebook users avoid scams and other attacks.

Maybe Facebook needs to be a little less robotic in its shutdown of this scam-exposing community, and could work a little more closely with Tony Mazan and his colleagues to bring what is a helpful resource for its users?

Update: The Bulldog Estate reports that its Facebook page has now been restored, and that Facebook has apologised for its mistake.

Google search results have traditionally been the target of black hat SEO campaigns. WebsenseR Security LabsT has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.

Websense Security Labs ThreatseekerR network has detected that Google Image search returns poisoned pictures when searching on celebrity child “Presley Walker”. We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.

The search results for “Presley Walker” through Google Image:

Let’s take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.

Below is one of the redirection chains used by this exploit kit:

From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user’s operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.

The list of URLs hosted on the IP, as shown from our Threatseeker network:

Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.

The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.

 The rogue AV page when using Firefox to surf the Web:

Antivirus Protection is a rogue anti-spyware program from the same family as Antivirus Soft and AV Security Suite. This family of rogues is installed through the use of malware and exploit kits that download and install Antivirus Protection onto your computer without your permission. When this program is installed it will be configured to start automatically when Windows starts, and once started, will perform a scan of your computer and state that it has found numerous infections. It will not, though, tell you the files that are supposedly infected and will also state that you cannot remove anything until you first purchase the program. This is a complete scam, as the program is scripted to display infections every time it is run. That means if you reinstalled Windows and ran Antivirus Protection it would still say that you are infected. It does this to scare you into thinking that your computer has a security problem so that you will then purchase the program. When you purchase the program, though, all you do is waste your money as the program has no useful function for your computer.

Antivirus Protection screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

When Antivirus Protection is running it will state that most programs are infected when you attempt to run them. The text of this fake infection alert is:

Virus Alert!
Application can’t be started. The file notepad.exe is damaged. Do you want to active your antivirus software now?

It does this for two reasons. The first is to make you think that your legitimate, and clean, programs are infected so that you will then purchase the rogue. The second reason is to block you from running any legitimate security programs that may help you remove this infection.

While Antivirus Protection is running it will also show you fake security alerts that attempt to further scare you into thinking you have a infection on your computer. These alerts will state that active malware has been detected or that your computer is under attack. The text of these alerts is:

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan – dropper or similar.

Just like the other false infections alerts, these warnings are all fake and should be ignored. Last, but not least, Antivirus Protection will also configure your computer to use a proxy server at 127.0.0.1:47392, which is actually the Antivirus Protection program itself. This makes it that when you browse the web using Internet Explorer, the rogue will intercept all your web browser requests and instead display a page that shows a security warning about the site you are visiting. This warning states:

Internet Explorer warning – visiting this site may harm your computer!
Most likely causes:

• The website contains exploits that can launch a malicious code on your computer
• Suspicious network activity
• There might be an active spyware running on your computer

These warnings should be ignored as they are false. If you use a browser other than Internet Explorer you will not see the warnings at all and can browse the Internet like normal.

Without a doubt, Antivirus Protection Trial was created solely to trick you into purchasing the program by convincing you that your computer has a security problem. Now that you know what this program does, it goes without saying that you should not purchase this program for any reason. If you already have purchased it, then we suggest you contact your credit card company and dispute the charges. To remove Antivirus Protection and any related malware, please follow the steps in the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus Protection files.
View Antivirus Protection Registry Information.

Entries for this program found in the Add or Remove Programs control panel:

Antivirus Protection 3.3.0

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:47392
O4 – HKLM\..\Run: [<random>] %Temp%\<random>\<random>.exe

Guide Updates:

09/18/08 – Initial guide creation.
04/20/11 – Updated for new rogue using the same name.

Automated Removal Instructions for Antivirus Protection using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Protection so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Protection and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Protection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Protection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Protection related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Protection Trial removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus Protection Trial program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated Antivirus Protection Files:

%UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>.exe

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

Associated Antivirus Protection Windows Registry Information:

HKEY_CURRENT_USER\Software\<random>
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “<local>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5643″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’

BitDefender 2011 is a rogue anti-spyware
program from the same family as BitDefender 2011. This computer infection is named after, but should not be
confused with, the legitimate antivirus programs program from BitDefender.
This rogue is promoted through web sites that pretend to be online anti-malware
scanners, but are instead advertisements that when finished state your computer
is infected. This fake scanner will then prompt you to download and install
BitDefender 2011 on to your computer in order to protect it. It should be
noted that these fake online scanners are just an advertisement that have absolutely
no way of knowing what is running on your computer. In fact they will show the
same infection results to anyone who visits the page. Therefore, do not be concerned
by what these online scanners show you.

BitDefender 2011 screen shot
For more screen shots of this infection click on the image above.
There are a total of 6 images you can view.

When BitDefender 2011 is installed it will be configured to start automatically when
Windows starts. Once started it will perform a scan on your computer and when
finished state that it is infected with a variety of malware. If you attempt
to use the program to remove any of the malware it finds, though, it will state
that you first need to purchase the program before it will remove anything.
This is a complete scam as the scan results are all fake and many of the listed
files are actually legitimate files that if removed could cause problems for
your computer. Therefore, do not manually remove any of the items it displays
in its scan results.

While BitDefender 2011 is running it will also display alerts and warnings that attempt
to scare you into thinking your computer has a serious computer security problem.
These alerts will state that personal information is being stolen, active malware
has been found, or that you are using unlicensed software. The text of some
of these alerts are:

Warning!
Virtumonde is an adware program that tends to monitor your Internet browsing
habits and may display targeted advertisements onto your computer screen.
Virtumonde may also create a malicious DLL file in order to log your keystrokes
and send the recorded information to a third party website. Virtumonde is
an unwanted application and recommended to be removed.

Warning! Identity theft attempt detected!
Attacker IP: <random IP address>
Attack Target: Microsoft Corp. Keys
Description: Remote host tries to get access to your personal information.

Warning! New virus detected!
Threat Detected: Keylogger.iSnake.Pro
Infected File: C:\WINDOWS\system32\asr_ldm.exe

BitDefender 2011 also creates a new column in the Windows Task Manager that will display the word Infected next to various processes. It does this to further scare you into thinking that you have malicious processes running on your computer.

BitDefender 2011 will also attempt to protect itself by not allowing you to run
various programs that may assist in removing it. When you attempt to run these
types of programs, BitDefender 2011 will terminate it and then state that the file
is infected. The text of the infection alert is:

Warning! Active Virus Detected!
Threat Detected: Backdoor.Poison.BQA
Infected file: <random file name>
Action taken: Application Blocked
Description: This backdoor arrives as attachment to email messages spammed by another malware or malicious user. This is a backdoor component of the Darkmoon RAT (Remote Administration Tool), via this backdoor hackers attempt to control your PC.

Just like the fake scan results, all of the above security alerts are fake
and only being shown to scare you into purchasing the program.

Last, but not least, BitDefender 2011 will hijack Internet Explorer, FireFox,
Chrome, or Safari so that a different program is launched the displays a security
alert. The text of the alert is:

About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn’t be launched

You may use Internet Explorer in Emergency mode – internal
service browser of Microsoft Windows system with limited usability.

Notice: Some sites refuse connection
with Internet Explorer in Emergency Mode. In such case system warning page
will be showed to you.

Just like the fake infection warnings, alerts, and scan results, these browser
messages are all fake and your normal browsers will be restored when you follow
the steps in the guide below.

Without a doubt, BitDefender 2011 was created for one reason; to scare you into
thinking your computer has a security problem so that you will then purchase
the program. It goes without saying that you should not purchase this program,
and if you already have, please contact your credit card company to dispute
the charge because the program is a scam and a computer infection. Finally,
to remove BitDefender 2011 and any related malware, please you use the removal guide
below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View BitDefender 2011 files.
View BitDefender 2011 Registry Information.

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [BitDefender 2011] C:\Program Files\BitDefender 2011\bitdefender.exe

Guide Updates:

04/20/11 – Initial guide creation.

Automated Removal Instructions for BitDefender 2011 using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is
   open later in the fix.

2. Reboot your computer into Safe Mode with Networking. To
   do this, turn your computer off and then back on and immediately when you
   see anything on the screen, start tapping the F8 key on your
   keyboard. Eventually you will be brought to a menu similar to the one below:

   

   Using the arrow keys on your keyboard, select Safe Mode with Networking
   and press Enter on your keyboard. If you are having trouble
   entering safe mode, then please use the following tutorial: How
   to start Windows in Safe Mode

   Windows will now boot into safe mode with networking and prompt you to login
   as a user. Please login as the same user you were previously logged in with
   in the normal Windows mode. Then proceed with the rest of the steps.

3. It is possible that the infection you are trying to remove will not allow
   you to download files on the infected computer. If this is the case, then
   you will need to download the files requested in this guide on another computer
   and then transfer them to the infected computer. You can transfer the files
   via a CD/DVD, external drive, or USB flash drive.

4. Before we can do anything we must first end the processes that belong to
   BitDefender 2011
   so that it does not interfere with the cleaning procedure. To do this, please
   download RKill to your desktop from the following link.

   RKill
   Download Link – (Download page will open in a new tab or browser window.)

   When at the download page, click on the Download Now button
   labeled iExplore.exe download link. When you are prompted
   where to save it, please save it on your desktop.

5. Once it is downloaded, double-click on the iExplore.exe
   icon in order to automatically attempt to stop any processes associated with
   BitDefender 2011
   and other Rogue programs. Please be patient while the program looks for various
   malware programs and ends them. When it has finished, the black window will
   automatically close and you can continue with the next step. If you get a
   message that RKill is an infection, do not be concerned. This message is just
   a fake warning given by
   BitDefender 2011
   when it terminates programs that may potentially remove it. If you run into
   these infections warnings that close RKill, a trick is to leave the warning
   on the screen and then run RKill again. By not closing the warning, this typically
   will allow you to bypass the malware trying to protect itself so that RKill
   can terminate
   BitDefender 2011
   . So, please try running RKill until the malware is no longer running. You
   will then be able to proceed with the rest of the guide. Do not reboot
   your computer after running RKill as the malware programs will start again.

   If you continue having problems running RKill, you can download the other
   renamed versions of RKill from the RKill
   download page. Both of these files are renamed copies of RKill, which
   you can try instead. Please note that the download page will open in a new
   browser window or tab.
   

6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following
   location and save it to your desktop:

   Malwarebytes’ Anti-Malware Download Link
   (Download page will open in a new window)

7. Once downloaded, close all programs and Windows on your computer, including
   this one.

8. Double-click on the icon on your desktop named mbam-setup.exe.
   This will start the installation of MBAM onto your computer.

9. When the installation begins, keep following the prompts in order to continue
   with the installation process. Do not make any changes to default settings
   and when the program has finished installing, make sure you leave both the
   Update Malwarebytes’ Anti-Malware and Launch
   Malwarebytes’ Anti-Malware checked. Then click on the Finish
   button. If MalwareBytes’ prompts you to reboot, please do not do so.

10. MBAM will now automatically start and you will see a message stating that
    you should update the program before performing a scan. As MBAM will automatically
    update itself after the install, you can press the OK button
    to close that box and you will now be at the main program as shown below.

    

11. On the Scanner tab, make sure the the Perform
    full scan option is selected and then click on the Scan
    button to start scanning your computer for
    BitDefender 2011
    related files.

12. MBAM will now start scanning your computer for malware. This process can
    take quite a while, so we suggest you go and do something else and periodically
    check on the status of the scan. When MBAM is scanning it will look like the
    image below.

    

13. When the scan is finished a message box will appear as shown in the image
    below.

    

    You should click on the OK button to close the message box and continue with
    the
    BitDefender 2011
    removal process.

14. You will now be back at the main Scanner screen. At this point you should
    click on the Show Results button.

15. A screen displaying all the malware that the program found will be shown
    as seen in the image below. Please note that the infections found may be different
    than what is shown in the image.

    

    You should now click on the Remove Selected button to remove
    all the listed malware. MBAM will now delete all of the files and registry
    keys and add them to the programs quarantine. When removing the files, MBAM
    may require a reboot in order to remove some of them. If it displays a message
    stating that it needs to reboot, please allow it to do so. Once your computer
    has rebooted, and you are logged in, please continue with the rest of the
    steps.

16. When MBAM has finished removing the malware, it will open the scan log and
    display it in Notepad. Review the log as desired, and then close the Notepad
    window.

17. You can now exit the MBAM program.
18. As many rogues and other malware are installed through vulnerabilities found
    in out-dated and insecure programs, it is strongly suggested that you use
    Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
    how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to
    detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

Your computer should now be free of the
BitDefender 2011
program. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
PRO version of Malwarebytes’ Anti-Malware to protect against these types
of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated BitDefender 2011 Files:

c:\Program Files\BitDefender 2011\
c:\Program Files\BitDefender 2011\bitdefender.exe
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
%AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
%UserProfile%\Desktop\BitDefender 2011.lnk
%Temp%\srvED4.ini
%Temp%\srvED4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

Associated BitDefender 2011 Windows Registry Information:

HKEY_CURRENT_USER\Software\EVAEC2
HKEY_CURRENT_USER\Software\MonEC2
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “BitDefender 2011″ = ‘C:\Program Files\BitDefender 2011\bitdefender.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 21.04.2011″

Once again Twitter users are finding themselves hit by a fast-infecting attack, more commonly encountered by their Facebook-using cousins: a rogue application spreading virally across the network.

Thousands of Twitter users have fallen into the trap of allowing rogue third-party applications access their Twitter accounts, believing that it would tell them how many people have unfollowed them.

A typical message reads:

58 people have unfollowed me, find out how many have unfollowed you: [LINK] #rw2011 #duringsexplease #youneedanasswhoopin

See the hashtags? They appear to be currently trending phrases on Twitter – presumably the rogue applications are using them in the messages they spam out in an attempt to trick more users into clicking on the links.

If you do click on the link you are asked to give authorisation for a third-party application to access your Twitter account.

Don’t, whatever you do, press the “Allow” button. If you do, then a third party is now capable of tweeting messages in your name to all of your Twitter followers – which spreads the scam virally across Twitter and may result in one of your online friends also having their account compromised.

So, how do the scammers make money? That’s the next piece of the jigsaw.

You’re anxious to find out who has unfollowed you on Twitter. The scammers take advantage of that by presenting a webpage which looks as if it’s about to reveal that information – but is actually designed to make you take an online survey instead.

The scammers make money for each survey that is completed.

If you were unfortunate enough to grant one of these rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Connections and revoking the offending app’s rights.

(Note that the scammers are using a variety of different applications – so you may see a different name from the one I picture above).

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

If you’re on Twitter and want to learn more about threats, be sure to follow Naked Security’s team of writers.

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:

Image 1 – cached page sos**.com

One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:

Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure

This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

• select ‘Allow calls from people in my Contact list only’
• select ‘Show that I have video to people in my Contact list only’
• select ‘Automatically receive video and screen sharing from people in my Contact list only’
• select ‘Allow IMs from people in my Contact list only’
• unselect ‘Allow my online status to be shown on the web’

Image 2 – Skype privacy settings

For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/

- Dan Nicolescu & Patrick Nolan, MMPC

WindowsFixDisk is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. WindowsFixDisk is installed via Trojans that display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer’s hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, WindowsFixDisk will automatically be downloaded and installed onto your computer.

Once installed, WindowsFixDisk will be configured to start automatically when you login to Windows. Once started, it will display numerous error messages when you attempt to launch programs or delete files. WindowsFixDisk will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. When you use the so-called defragment tool it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer. As this program is a scam do not be scared into purchasing the program when you see its alerts.

WindowsFixDisk screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

To further make it seem like your computer is not operating correctly, WindowsFixDisk will also make it so that certain folders on your computer display no contents. When opening these folders, such as C:\Windows\System32\ or various drive letters, instead of seeing the normal list of files it will instead display a different folder’s contents or make it appear as if the folder is empty. This is done to make it seem like there is corruption on your hard drive that is causing your files to not be displayed. It does this by adding the +H, or hidden, attribute to all of your files, which causes your files to become hidden. It will then change your Windows settings so that you cannot view hidden and system files. Once the rogue’s processes are terminated you can enable the setting to view hidden files, and thus be able to see your files and folders again, by following the instructions in this tutorial:

How to see hidden files in Windows

WindowsFixDisk also attempts to make it so you cannot run any programs on your computer. If you attempt to launch a program it will terminate it and state that the program or hard drive is corrupted. It does this to protect itself from anti-virus programs you may attempt to run and to make your computer unusable so that you will be further tempted to purchase the rogue. The messages that you will see when you attempt run a program are:

Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.

Or

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Or

Critical Error
Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error.

After you close this alert you will be presented with another alert that pretends to be for a program that will attempt to fix your hard drive.

Fix Disk
WindowsFixDisk Diagnostics will scan the system to identify performance problems.
Start or Cancel

If you press the Start button, it will pretend to scan your computer and then state that there is something wrong with it. This message is:

WindowsFixDisk Diagnostics
Windows detected a hard disk error.
A problem with the hard drive sectors has been detected. It is recommended to download the following sertified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?

These are just further alerts trying to make you think your computer has a serious hard drive problem. It should be noted that if you attempt to run a program enough times it will eventually work.

When you perform the scan or use the fake WindowsFixDisk it will state that there are numerous problems on your computer, but that you first need to purchase it before it can fix any of them. Some examples of the fake problems it detects on your computer are:

Requested registry access is not allowed. Registry defragmentation required
Read time of hard drive clusters less than 500 ms
32% of HDD space is unreadable
Bad sectors on hard drive or damaged file allocation table
GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash
Drive C initializing error
Ram Temperature is 83 C. Optimization is required for normal operation.
Hard drive doesn’t respond to system commands
Data Safety Problem. System integrity is at risk.
Registry Error – Critical Error

While Windows Fix Disk is running it will also display fake alerts from your Windows taskbar. These alerts are designed to further scare you into thinking that your computer has an imminent hardware failure. The text of some of the alerts you may see include:

Critical Error!
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard Drive not found. Missing hard drive.

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can’t find hard disk space. Hard drive error

Critical Error!
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Activation Reminder
WindowsFixDisk Activation
Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features.

Low Disk Space
You are running very low disk space on Local Disk (C:).

Windows – No Disk
Exception Processing Message 0×0000013

Just like the fake corruption messages and fake scan results, these alerts are only designed to scare you into purchasing the program.

To make matters worse, recent variants of this family have been installing the TDSS rootkit as well. This rootkit will perform redirects when visiting search links in Google, play strange audio advertisements, and make it so that you are unable to update your security programs. If you are infected with Windows Fix Disk and are unable to update your Malwarebytes’s Anti-Malware definitions then you most likely have this rootkit installed. If this is the case, this guide will not be able to help you and you should instead follow the instructions in this topic in order to receive one-on-one help in removing this infection.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Without a doubt, the tactics utilized by this program are fraudulent and criminal. Therefore, do not purchase Windows Fix Disk for any reason, and if you already have, please contact your credit card company and state that the program is a computer infection and a scam and that you would like to dispute the charge. To remove this infection and related malware, please follow the steps in the guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View WindowsFixDisk files.
View WindowsFixDisk Registry Information.

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

Windows Vista & 7:

O4 – HKCU\..\Run: [<random>.exe] %AllUsersProfile%\<random>.exe
O4 – HKCU\..\Run: [<random>] %AllUsersProfile%\<random>.exe

Windows XP:

O4 – HKCU\..\Run: [<random>.exe] %AllUsersProfile%\Application Data\<random>.exe
O4 – HKCU\..\Run: [<random>] %AllUsersProfile%\AppData\<random>.exe

Guide Updates:

04/13/11 – Initial guide creation.

Automated Removal Instructions for WindowsFixDisk using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Before we can do anything we must first end the processes that belong to WindowsFixDisk so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
4. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with WindowsFixDisk and other Rogue programs. If you cannot find the iExplore.exe icon that you downloaded, you can also execute the program by doing the following steps based on your version of Windows:
   
   For Windows 7 and Windows Vista, click on the Start button and then in the search field enter %userprofile%\desktop\iexplore.exe and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.
   
   For Windows XP, click on the Start button and then click on the Run menu option. In the Open: field enter %userprofile%\desktop\iexplore.exe and press the OK button. If you Windows prompts you to allow it to run, please allow it to do so.
   
   Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by WindowsFixDisk when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate WindowsFixDisk . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   Do not reboot your computer after running RKill as the malware programs will start again.
   
   
   
5. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes’ Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for WindowsFixDisk related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Windows Fix Disk removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:
    
    Unhide.exe
    
    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
    
    
19. Finally, as many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Windows Fix Disk program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated WindowsFixDisk Files:

Windows Vista & 7:

%AllUsersProfile%\~<random>
%AllUsersProfile%\~<random>r
%AllUsersProfile%\<random>.dll
%AllUsersProfile%\<random>.exe
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>.exe
%UserProfile%\Desktop\Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Uninstall Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Windows Fix Disk.lnk

Windows XP:

%AllUsersProfile%\Application Data\~<random>
%AllUsersProfile%\Application Data\~<random>r
%AllUsersProfile%\Application Data\<random>.dll
%AllUsersProfile%\Application Data\<random>.exe
%AllUsersProfile%\Application Data\<random>
%AllUsersProfile%\Application Data\<random>.exe
%UserProfile%\Desktop\Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Uninstall Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Windows Fix Disk.lnk

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

Associated WindowsFixDisk Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′

A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: “Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards.“
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe – TrojanDownloader:Win32/Chepvil.J – Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe – 208.43.90.48 – Email: admin@firtryt.biz

Detection rate:
pusk.exe – FakeAlert-CN.gen.aa – Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com – 78.46.105.205
bemolaqijicy.com – 99.198.114.206 – Email: vista@free-id.ru
celisesuho.com – 99.198.114.202 – Email: hush@bz3.ru
cixovatywo.com – 78.46.105.205 – Email: frenzy@ca4.ru
fytypoqywu.com – 64.46.38.94 – Email: fy4371215910301@domainidshield.com
gicyxepomer.com – 78.46.105.205 – Email: tabs@yourisp.ru
gopilezavyxiro.com – 78.46.105.205 – Email: hush@bz3.ru
hivanedak.com – 188.95.54.242 – Email: steps@ppmail.ru
hotilosire.com – 208.110.67.122 – Email: lathe@maillife.ru
jerakidukojoz.com – 78.46.105.205 – Email: wrap@cheapbox.ru
kupeqobujohaq.com – 64.46.38.145 – Email: soup@fastermail.ru
kytevaviqopoci.com – 78.46.105.205 – Email: fs@free-id.ru
pikilokykizanu.com – 65.254.54.77 – Email: dawn@free-id.ru
punajytapaci.com – 209.97.213.105 – Email: mire@maillife.ru
qisacugugu.com – 64.46.38.129 – Email: as@free-id.ru
qupajubica.com – 78.46.105.205 – Email: heard@bz3.ru
reruravobosila.com – 67.196.13.96 – Email: mon@ppmail.ru
rorodarof.com – 99.198.114.204 – Email: hush@bz3.ru
ruqydahec.com – 67.196.13.97 – Email: mon@ppmail.ru
sakafiduzipame.com – 78.46.105.205 – Email: build@ca4.ru
sykobodyducib.com – 208.110.67.102 – Email: lathe@maillife.ru
tetagyjaj.com – 78.46.105.205 – Email: kilt@bz3.ru
tibehewuk.com – 209.97.213.102 – Email: mon@ppmail.ru
tisatosyhimidy.com – 188.95.54.243 – Email: jan@free-id.ru
tyhiqymiwufuj.com – 208.110.67.121 – Email: dawn@free-id.ru
vakyditefo.com – 99.198.114.203 – Email: vista@free-id.ru
wamojafadezy.com – 78.46.105.205 – Email: acts@free-id.ru
wetotyger.com – 78.46.105.205 – Email: acts@free-id.ru
wixecyhobovy.com – 64.46.38.130 – Email: soup@fastermail.ru
wolycunanoqe.com – 72.9.233.98 – Email: lathe@maillife.ru
zajatimibuj.com – 208.110.67.119 – Email: bark@cheapbox.ru
zequcitamado.com – 99.198.114.205 – Email: vista@free-id.ru
punajytapaci.com/1017000412 – 209.97.213.105 – Email: mire@maillife.ru
tibehewuk.com/1017000412 – 209.97.213.102 – Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Researcher Patrick Jordan put together some statistics on the various Rogues he sees on a daily basis, and I thought it made for some interesting reading.

How are the rogue AV products shaping up in terms of monthly / yearly numbers? Let’s take a look at what Patrick has pulled out of a fiery lake of evil through the years:

Click to Enlarge

No surprises that the new finds keep coming, with the foot really hitting the gas pedal in 2008 and never really letting up. In terms of rogues from various families doing the rounds in 2011 (from the 1st of January to the 31st of March), we have a clear winner:

The PrivacyCenter rogue sweeps all aside, and probably accepts some sort of award for services to scamming people out of their money (Patrick tells me that “MSE stands for Microsoft Security Essentials which is the fake alert used with the MSE extension”). While I’m not a huge fan of long lists, the following long list gives you an idea of the overwhelming nature of so many fake products hitting the net every other day:

1/4/2011            Palladium.FakeRean
1/4/2011            HDDFix.FakeSysDef
1/5/2011            MemoryFixer.FakeSysDef
1/9/2011            DiskOK.FakeSysDef
1/12/2011          GoodMemory.FakeSysDef
1/12/2011          FastDisk.FakSysDef
1/12/2011          WindowsSystemOptimizator
1/15/2011          DiskOptimizer.FakeSysDef
1/17/2011          WindowsOptimization&Security
1/18/2011          MemoryOptimizer.FakeSysDef
1/18/2011          WindowsSecurity&Control
1/20/2011          WindowsUtilityTool
1/21/2011          WindowsScan.FakeSysDef
1/25/2011          WindowsUniversalTool
1/26/2011          Antivirus.Net.FakeSpyPro
1/26/2011          WindowsRiskEliminator
1/27/2011          SmartInternetProtection2011.FakeVimes
1/28/2011          WindowsDisk.FakeSysDef
1/28/2011          AVG-Antivirus.FakeXPA
1/28/2011          WindowsAntispywareSolution
1/28/2011          WindowsShieldCenter
1/31/2011          WindowsHealthCenter
2/1/2011            WindowsProblemsRemover
2/2/2011            WindowsProblemsProtector
2/3/2011            WinDisk.FakeSysDef
2/4/2011            DiskRecovery.FakeSysDef
2/4/2011            InternetSecurity2011.RTK
2/5/2011            WindowsSafetyProtection
2/6/2011            WindowsSoftwareProtection
2/7/2011            PCSecurity2011.FakeSpyPro
2/7/2011            WindowsSoftwareGuard
2/8/2011            WindowsWiseProtection
2/9/2011            AntiViraAV.FakeSpyPro
2/9/2011            WindowsCareTool
2/10/2011          WindowsOptimalSolution
2/11/2011          WindowsOptimalSettings
2/11/2011          AntivirusSystem2011
2/11/2011          InternetSecurityDefender2011
2/14/2011          WindowsProblemsSolution
2/15/2011          WindowsUserSatellite
2/17/2011          WindowsExpressHelp
2/18/2011          WindowsAVSoftware
2/20/2011          WindowsSafetyGuarantee
2/21/2011          InternetSecurityEssentials.FakeVimes
2/21/2011          WindowsOptimalTool
2/22/2011          WindowsExpressSettings
2/22/2011          MegaAntivirus2012
2/23/2011          InternetDefender
2/25/2011          WindowsTool.FakeSysDef
2/25/2011          WindowsPrivacyAgent
2/26/2011          WindowsProcessesOrganizer
2/28/2011          WindowsTroublesAnalyzer
3/1/2011            WindowsPerformanceManager
3/2/2011            AntiMalwareGo.FakeSpyPro
3/2/2011            WindowsEfficiencyManager
3/3/2011            AntiVirusAntiSpyware2011
3/3/2011            XPHomeSecurity.FakeRean
3/3/2011            WindowsDebugSystem
3/5/2011            AntivirusMonitor.FakeSpyPro
3/7/2011            WindowsErrorCorrection
3/8/2011            WindowsDefenceCenter
3/9/2011            WindowsServantSystem
3/10/2011          SystemDefender
3/10/2011          WindowsTroublemakersAgent
3/11/2011          WindowsTroublesRemover
3/13/2011          WindowsDiagnostic.FakeSysDef
3/14/2011          WindowsRemedy
3/16/2011          BestMalwareProtection.FakeVimes
3/16/2011          E-SetAntivirus2011.FakeXPA
3/16/2011          WindowsThreatsRemoving
3/17/2011          WindowsEfficiencyMagnifier
3/18/2011          WindowsSafeMode.FakeSysDef
3/18/2011          SystemDiagnostic.FakeSysDef
3/18/2011          WindowsEmergencySystem
3/21/2011          CleanThis.FakeRean
3/21/2011          WindowsSupportSystem
3/22/2011          WindowsLowlevelSolution
3/23/2011          WindowsRecovery.FakeSysDef
3/23/2011          WindowsBackgroundProtector
3/24/2011          WindowsSimpleProtector
3/25/2011          WindowsPowerExpansion
3/26/2011          MSRemovalTool
3/28/2011          WindowsExpansionSystem
3/29/2011          WindowsRepair.FakeSeysDef
3/30/2011          WindowsProcessRegulator
3/31/2011          WindowsStabilityCenter

Pretty crazy. As always, if you happen to find yourself on a website with flashing infection alerts and constant offers to download a “security program”, ignore the prompts, don’t fill in any information and run the other way.

Thanks Patrick.

Christopher Boyd

SSL certificates are used to validate the identity of a Web site to users. Yesterday Comodo, a certificate vendor, announced that nine SSL certificates had been bought and issued for the following domains:

• mail.google.com (Gmail)
• login.live.com (Hotmail and Microsoft Live services)
• www.google.com
• login.yahoo.com (three different certificates)
• login.skype.com
• addons.mozilla.org (Firefox extensions)
• "Global Trustee"

Comodo added the rogue certificates to their Certificate Revocation List (CRL) in the evening of March 15, 2011 and Microsoft, Mozilla etc have released updates to their browsers since then.

What does this mean?

The rogue SSL certificates could have been used to set up Web sites that provide fake login services for the services listed above (Gmail, Yahoo, Live, Skype etc). By doing that, whoever was behind this could steal user names and passwords even though the traffic was encrypted with SSL and the user wouldn't know anything was wrong. With the updated CRL list the user would get a warning when visiting a site using any of the rogue certificates and would hopefully not enter any credentials.

Comodo states in their report that a user account at one of their affiliate partners was compromised and used to issue the rogue certificates. The attacker used several IP addresses when doing this, but mainly used an IP address from Iran. According to the investigation done by Comodo the attacker was very quick to issue the certificates, knew exactly which domains to issue them for, and didn't waste any time when doing this.

How do Websense products protect users?

Users who have Windows Update enabled will receive the revoked CRL automatically for Internet Explorer, and if you have automatic updates enabled for any other browser it will download the the CRL as well. Our products also have the ability to check the validity of a SSL certificate and the benefit of doing that is that the product will do it for all users, regardless of which browser they use and if they have the update or not. This feature is not enabled by default  in Websense Content Gateway, so follow the steps below to enable the CRL verification.

If unsure we recommend that you contact your Technical Account Manager to discuss how this change will affect the user experience in your particular environment.

1. Log on to Content Gateway Manager.

   
   

2. Go to Configure > My Proxy > Basic > Features > HTTPS, and enable HTTPS Protocol.
3. Go to Configure > My Proxy > Basic > Restart and select Restart to enable the SSL Inspection (SSL Manager).
4. Go to Configure > My Proxy > SSL > Validation > General and configure the page as follows:
   • Select Enable the certificate verification engine
   • Clear Deny certificates where the common name does not match the URL (see below)
   • Verify that Check certificate revocation by CRL is selected
   • Click Apply

   

5. Optional step: Select the Verification Bypass tab and make sure the following options are selected.
   Important note: This is an optional step that depends on your organization's security policy. If you choose this option, users will have the ability to continue browsing to dangerous Web sites with potential rogue SSL certificates, so if you don't wish to give users this choice, skip this step.

   

   This will prompt the user with a warning message informing them that the certificate is invalid, but they will have the option to click Continue to visit the page.

6. Select the Revocation Settings tab and make sure that the automatic download of new CRL lists is enabled:

   

If the automatic download was disabled, we recommend that you force an update to make sure the latest CRL lists are downloaded. If the download was already enabled, you don't have to do this as the updated CRL list from Comodo was released on March 15 and your Websense product will already have the list installed. Regardless if you have the CRL verification turned on or not, the Advanced Classification Engine will scan the content from any site, including those using the rogue SSL certificates, as long as you have SSL inspection turned on, and block all malicious code.

SSL certificates are used by websites to confirm their identity to end users.

Certificate vendor Comodo has announced today that nine rogue certificates were issued through them. These certificates were issued for:

• mail.google.com (GMail)
• login.live.com (Hotmail et al)
• www.google.com
• login.yahoo.com (three certificates)
• login.skype.com
• addons.mozilla.org (Firefox extensions)
• “Global Trustee”

According to Comodo, the registrations seemed to be coming from Tehran, Iran and they believe that because of the focus and speed of the attack, it was “state-driven”.

What can you do with such a certificate?

Well, if you are a government and able to control internet routing within your country, you can reroute all, say, Skype users to fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their email when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn’t notice this was going on.

What about the rogue certificate for addons.mozilla.org? Initially I thought that there’s would be no other reason than to use Firefox extensions as some sort of malware install vector. However, Eric Chien from Symantec come up with an interesting alternate theory: it could be used to block the installation of certain extensions that bypass censorship filters (thanks, Eric!) For examples of such extensions, see here and here.

As certificate revokation systems in place are far from fool proof, Microsoft has just announced that they will be shipping a Windows update that will force these rogue certificates to be moved to the local untrusted certificate store.

Updated to add: Comodo has now said the attacker gained entry to its system by obtaining the password and username of their European affiliate. Once inside, the attacker could have issued certificates to any site he wanted. Wall Street Journal has more on the breach.

Updated to add again: What’s the importance of a Certificate issed for “Global Trustee”? We don’t know. This isn’t a documented entity anywhere we could find. Our best guess at this point is that there is some hardware product from some large vendor with hardcoded support for a certificate for “Global Trustee”…

Updated to add again: Iran does not have it’s own CA. If they did, they wouldn’t need to do any of this as they could just issue rogue certificates themselves. On Twitter, @xirfan commented on this, saying: “I work for a webhoster. Our Iranian & Syrian customers aren’t allowed SSLs”

Here’s a full list of root certificates stored in the Mozilla project Root CA store. It includes certificates issued by CAs in China, Israel, Bermuda, South Africa, Estonia, Romania, Slovakia, Spain, Norway, Colombia, France, Taiwan, UK, The Netherlands, Turkey, USA, Hong Kong, Japan, Hungary, Germany and Switzerland.

On 23/03/11 At 08:27 PM

See what happens when I purposely infect my computer with Power AntiVirus (a rogue anti-virus known to be malicious.) Notice some of the patterns and learn how to protect your computer in our series of videos. Our Blog: www.e-geniuses.com

Video Rating:

You know you whant it.

Video Rating:

We have noticed rogue antivirus software that pretends to be the AVG Anti-Virus 2011. As usually  social engineering is in use -  well known names (AVG, Microsoft Security Essentials)  and designs of trusted applications are present in order to increase credibility.

Once launched, this malware make users believe that computer is infected with malicious programs that might compromise privacy or damage computer, and of course – threat removal is not free and you are asked to purchase “license”.

…and there is even hardcoded BSOD

Malicious software caused system crash

A problem has been detected and Windows has been shut down to prevent damage to your computer.

Technical information:

*** STOP: 0x0000008E (0xC0000005,0x92F27DCF,0×99970968,0×00000000)

***   kernel32.dll – Adress 92F27DCF base at 92E40000, DateStamp 4943a3f

Creating crash dump. <b>Please do NOT turn off or reboot computer.</b>

Collecting data for crash dump

Initializing disk for crash dump

Beginning dump of physical memory

Dumping phisical memory to disk

 AVG detects this software (usually as  part of Trojan horse FakeAV family) and related websites are blocked as well.

Ondrej Novotny

Bibiloy submitted this beauty to our URL Clearing House: www.spycheck.co.uk/mcavg_install.zip It’s called McAVG 2011. Actual Kaspersky product: The very detailed website(s) were also stolen from Uniblue: www.spycheck.es/ www.spycheck.co.uk/ www.spycheck.eu/ www.spycheck.fr/ www.spycheck.nl/ www.spycheck.it/ www.spycheck.dk/ www.spycheck.pl/ www.spycheck.ru/ The blue background made me think of Uniblue and Uniblue Liutilities it is! Actual Uniblue page: It seems like McAVG [...]

Full story: Malware Diaries