Author Topic: Another fake-av site detected..  (Read 55584 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another fake-av site detected..
« Reply #15 on: June 13, 2010, 12:23:56 AM »
...the Internet is becoming a scary place for webmaster that want to keep their website's code clean,

I know that only too well. ;)
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #16 on: June 17, 2010, 02:52:45 PM »
Hi malware fighters,

Another one reported here:
Website    westernwinds.net
Domain Hash    f75afbc2b730096197625b5e49c7a496
IP Address    66.96.130.112 [SCAN]
IP Hostname    112.130.96.66.static.eigbox.net
IP Country    US (United States)
AS Number    29873
AS Name    BIZLAND-SD - The Endurance International Grou...
Detections    2 / 18 (11 %)
Status    SUSPICIOUS

Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=obama%20address%20to%20students%20transcript

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=pic%20hunter

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=rick%20rubin%20myspace

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20crossword

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20newspaper

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=spirit%20airline%20strike

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=svk

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://westernwinds.net/fevcf.php?topic=swype%20for%20iphone

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=tony%20award%20winners%202009

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=watch%20true%20blood%20online%20for%20free%20streaming

Redirecting to cnn.com again
Here is where it happens
Code: [Select]
info: [decodingLevel=1] found JavaScript
     error: line:4: SyntaxError: missing ] after element list:
          error: line:4:      [native code]
          error: line:4: ................^

polonus

   
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #17 on: June 17, 2010, 03:03:50 PM »
Hi malware fighters,

A recent list from Malware Domain List for fake av:
http://www.malwaredomainlist.com/mdl.php?search=fake+av&colsearch=All&quantity=50

One example given in here: spinpoll.com/iuqdx/qttbbm.php?ff=826284
results
http://scanner.novirusthanks.org/analysis/561d310ada76abefafa70c2afb1f7a10/cXR0YmJtLnBocA==/
http://wepawet.iseclab.org/view.php?hash=0372e8bf9a1d75e118b18830d4ea85fb&t=1276780197&type=js

Triggered code has been made unobtrusive and is legit here,
but the ways in which it can be exploited are obvious,
read: http://www.alstevens.co.uk/a-less-obtrusive-google-analytics-script/
How it recently was exploited read here: http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/

polonus
« Last Edit: June 17, 2010, 03:52:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #18 on: June 19, 2010, 04:54:38 PM »
Hi malware fighters,

Here is a report about the way the malware is being injected via cross site scripting:
http://cyberinsecure.com/high-ranking-websites-spread-malware-through-cross-site-scripting-vulnerabilities/
It’s embedding iframes to redirect and
Quote
  [=/quote]The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5.eu (do not visit, see: http://www.siteadvisor.com/sites/ask5.eu ), and 1 suspicious inline script found, for this script see: http://jsunpack.jeek.org/dec/go?report=b413e5b967fa38a1d2dea332d601417ac034c41d   with a undefined function parent.location.replace
to an apparent pr0n site...

A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.

While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.

The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below): http://cyberinsecure.com/wp-content/uploads/2009/12/xss.png (click to enlarge)
[=/quote]

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #19 on: June 22, 2010, 03:39:19 PM »
Fake AV,

A good read-up on the subject can be found here: http://www.usenix.org/event/leet10/tech/full_papers/Rajab.pdf
(advized by Google coders)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #20 on: June 24, 2010, 02:51:22 PM »
Hi malware fighters,

Another fake av site detected: versusspywareguard.com
Threat Name:      HTTP Fake Antivirus WebPage Request 2
Location:    htxp://6de46b37e.versusspywareguard.com/stream1/cacnpr/fhlcnalhnd/fcllfmfhdl.html

   
Threat Name:    HTTP Fake Antivirus WebPage Request 2
Location:    htxp://0639945.versusspywareguard.com/stream1/cafm/phddqcmrcc/fcllfmfral.html

Another source to look at from secubox labs: http://internetpol.fr/mw/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #21 on: June 30, 2010, 07:00:10 PM »
Hi malware fighters,

Another fake av site:rodaco.org
Domain Hash    94f43071befdbcaf02482e09e2a7a3ef
IP Address    66.96.131.89 [SCAN]
IP Hostname    89.131.96.66.static.eigbox.net
IP Country    US (United States)
AS Number    29873
AS Name    BIZLAND-SD - The Endurance International Group

:
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://rodaco.org/vlruf.php?pageid=april%20fools%20day%20history

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=auhsd

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=cesar%20chavez%20biography

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=fledgling%20foundation

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=siohvaughn%20wade%20std

polonus

   
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #22 on: July 14, 2010, 09:11:05 PM »
Hi malware fighters,

And another one of the fake av drive-by-downloads detected here:


Threats found: 6
Here is a complete list:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=7+11+locator

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=anthony+morrow

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=dani+jarque

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=dream+15

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=flugtag

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://angrystot.com/press/?showc=gary+air+show

polonus   

 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #23 on: July 17, 2010, 06:16:33 PM »
Hi malware fighters,

Another one from Moldova:
 Threats found: 58
Here a sample of them:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=baby-shower-4u.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=bluehillsmoto.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=comnicity.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=donsrcmodels.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=earlsauction.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=helix-x.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kalpulli.org&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=marylandvisiontherapy.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

   
    Virus
Threats found: 1 Analyzed this trojan further below...
Here is a complete list:
Threat Name:    Downloader  avast detects as Win32:Downloader-ECU now as Win32:Downloader-ECU [Trj]
Location:    htxp://zhengshu.osa.pl/zhengshu/zhengshuw.exe    (other file is zhengshu.exe)
Infected with Mal/Downldr-AL
经过扫描,其中 0/6 款杀毒软件检测到zhengshuw[1].exe 含有病毒木马及可疑风险! ... 文件百科提供的内容不够完善?立即去论坛讨论zhengshuw[1].exe >>
htxp://58.251.57.206/down?cid=3D228BFFBDF06C63A04E66BA3D14FB880FE1E892&t=2&fmt=&usrinput=%E6%9A%B4%E9%A3%8E%E5%BD%B1%E9%9F%B3&dt=2018000&ps=0_0&rt=0kbs&plt=0&spd=9
Is in this list: http://malwarepatrol.com.br/cgi/submit?action=list_mcf
http://www.prevx.com/filenames/719191126558992567-X1/ZHENGSHU.EXE.html
and
http://scanner.novirusthanks.org/analysis/35d82b779d33dd59129769d614465b86/emhlbmdzaHV3LmV4ZQ==/

See: http://wepawet.iseclab.org/view.php?hash=40910560e9eb16905f511b33a1355c7f&t=1279382964&type=js
and
http://www.virustotal.com/analisis/9469a349c50038c798801a0ba64d42f5e8c699c62a37c3d06f23db905e848018-1279279124

pol



   

 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #24 on: July 18, 2010, 12:51:30 AM »
Hi malware fighters,


       Drive-By Downloads   

Threats found: 25
Here is a sample:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=roy%20williams%20youtube

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=s1%20homes

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=schnepf%20farms%20twitter

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=sertraline%20and%20alcohol

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20ep%201

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20tv

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=stella%20marie%20ray

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=watch%20one%20piece

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=world%20cup%20finals

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=www.applegiftgiveaway.info

Might have been removed!

polonus
   

 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #25 on: August 06, 2010, 09:49:35 PM »
Hi malware fighters,

Another one here:  Threats found: 1
Here is a complete list:
Threat Name:    Trojan.FakeAV
Location:    htxp://trafok.in/modulesetup70700.exe

A dangerous website according to several sources: http://www.urlvoid.com/scan/trafok.in
Mazilla found this:
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
With the avast shield that gave a JS:ScriptDC-inf[Trj] warning for a malware download,

And another one here:
hreat Name:      HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=charlie%20wilsons%20war%20wiki

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=cydia%20ipad

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=dickssportinggoods%20application

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=endhiran%20trailer

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=jailbreakme%202010

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=kristen%20mcmenamy%20gray%20hair

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20imdb

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20movies

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=the%20joe%20schmo%20show

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=yani%20tseng%20caddie

   See: http://www.urlvoid.com/scan/utu974.com


polonus
« Last Edit: August 06, 2010, 09:54:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37612
  • Not a avast user
Re: Another fake-av site detected..
« Reply #26 on: August 06, 2010, 10:19:27 PM »
VirusTotal - modulesetup70700.exe - 11/42
http://www.virustotal.com/analisis/ef3df69693dc5906ee2b88e4ae134ff74eeb99298d19c27bde9367ef05cf8260-1281125582

and it is already in avast inbox..... ;)
« Last Edit: August 06, 2010, 10:32:39 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Another fake-av site detected..
« Reply #27 on: August 07, 2010, 10:23:05 PM »
Hi malware fighters,

Another one here:
Threat Name:      HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=care%20credit%20providers

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=dickssportinggoods%20in%20store%20coupons

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=ernesto%20miranda%20grave

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=hansen%20clarke%20michigan

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=haskell%20invitational%20monmouth%20park

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=mine%20lyrics

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=quintuplets%20blog

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=quintuplets%20dionne

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://wisneski.net/woaoc.php?a=santa%20monica%20college%20nursing

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://wisneski.net/woaoc.php?a=unigo%20emory

Re: http://www.urlvoid.com/scan/wisneski.net

polonus

   

 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

iRonzel

  • Guest
Re: Another fake-av site detected..
« Reply #28 on: August 17, 2010, 02:29:58 AM »
One more for your collection:

fotonpl.co.cc/a/exe.exe

iRonzel

  • Guest
Re: Another fake-av site detected..
« Reply #29 on: August 17, 2010, 02:31:39 AM »
The family form the above post:

fotonpl.co.cc/a/l.php