Another fake-av site detected..

[spg SCOTT]

If a rogue is reported, and submitted, and subsequently detected...protecting a user at some point or another then there is a purpose in posting...

[Dieselman]

Well both those sites can give you more info the one person posting a link. Avast should just look at both those sites.

[polonus]

You both have a point there, spg SCOTT and Dieselman,

The malcreants start out with launching a new morphed encrypted obfuscated protected version of the same malcreation. This is an ongoing battle between malcreant and the anti-malware makers....
So the cybercriminals test out their new malcreations for it to go under the anti-malware radar, right? What is adding detection for 0-days etc faster - re-scanning, re-scanning, re-scanning.
As soon as the undetected are flagged once protection against it is possible. So I think reporting flagged malware sites and new rogues to avast (and sending the info to virus AT avast dot com too), and posting it to be re-scanned is good. On the other hand this means protection "after the fact", the vulnerability gap is still there and stays open. How to close this further, deminish vulnaribilities used to infect by constantly updating the software of your OS and third party programs (secunia psi) and use sandboxing and script protection to be better protected even,

polonus

[polonus]

Another undetected fake av site: htxp://protectionantivscanxp.com/  with mdl_fake AV (these servers often also has zeus/mdl_trojan TDSS on them)...usally they are being taken down rather quickly,

IP initial: see: http://www.ipillion.com/ip/91.213.157.110
Reported there as such

\"protectxpdriversvirusnow\" is a rogue antivirus site. I had a google redirection virus that kept directing me to that site. The virus apparently started with a \'tdl4 bootkit\', as reporte...

as such not detected: http://www.virustotal.com/file-scan/report.html?id=40842d6f11294476776c1609562b3d979bfd1cbc90b6fac8154a213bf51cfcf6-1298142836
Not detected here: http://wepawet.iseclab.org/domain.php?hash=4317a555e95fd113218c188fdd150b85&type=js
But found to be dangerous here on 4 instances:
flagged by http://global.sitesafety.trendmicro.com/

polonus

[polonus]

Another one here: htxp://dl.antivirus-antispy.cw.cm/BestAntivirus2011.exe

5 detections for this TR/ATRAPS.Gen, see
http://www.virustotal.com/file-scan/report.html?id=4361036cada809073bca9b8b56f5b2b59e795099d5f1b567a8a5abe873431ea9-1303139492
Avast does not detect yet,

polonus

[Left123]

Another one here: htxp://dl.antivirus-antispy.cw.cm/BestAntivirus2011.exe

5 detections for this TR/ATRAPS.Gen, see
http://www.virustotal.com/file-scan/report.html?id=4361036cada809073bca9b8b56f5b2b59e795099d5f1b567a8a5abe873431ea9-1303139492
Avast does not detect yet,

polonus

You use malwaredomainlist,don't you?

[Dieselman]

malc0de is also another great site for malware links.

http://malc0de.com/database/

[polonus]

Hi Dieselman,

We are not given these sites here, because the unaware can get themselves infected, why do you post it then?
Make it htxp please. Same goes for others, unaware users should not be go there unprotected, just as with jsunpack etc. etc.

polonus

[Dieselman]

Please read the link and the site before you comment. MalcOde is NOT a malicious site. It's just like Malware Domain List. Mac0de posts links to malicious sites for testing purposes but the site it self is safe. Direct links to malicious sites should be coded with hxxp. But this is not a direct link. Clicking on the malc0de link will NOT directly get you infected. You are posting direct links. I on the other hand are not. Thanks.

[Dieselman]

Warning notice from MDL.

WARNING: All domains on this website should be considered dangerous. If you do
not know what you are doing here, it is recommended you leave right away. This
website is a resource for security professionals and enthusiasts

[Krelnadi]

This looks like a new site for the Antispy2011.exe

hxxp:Memoryscannerprotectionwin.com


Got redirected to that site on another website not to long ago

[Coolmario88]

Another Fake-av site hxxp://mbr-antivirus.ce.ms/fast-scan/

[Dieselman]

Another Fake-av site hxxp://mbr-antivirus.ce.ms/fast-scan/

Stopped by ClearCloud DNS.

[Dieselman]

This looks like a new site for the Antispy2011.exe

hxxp:Memoryscannerprotectionwin.com


Got redirected to that site on another website not to long ago

Link is dead.

[Krelnadi]

I wonder if the people doing the fake AV sites are looking on this forum, seems odd the links go down as soon as someone mentions them.

This one is more recent:

hxxp:documentscannerprotectionwin.com