Author Topic: Another fake-av site detected.. (Read 55282 times)

polonus · « **on:** June 04, 2010, 09:37:53 PM »

Hi malware fighters,

Fake-av found here:
Here is a complete list:

Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://052a55.topwestsecure.com/download/DistAV_2013_b8.exe


Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://f1e0c0.topwestsecure.com/download/DistAV_2013_b7.exe
Re: http://www.virustotal.com/analisis/f8ae332e594ad0ac2dcec58a9f3ad0f831b6d62ee4c0e0300d8df81e8548adde-1275605281
See: htxp://jsunpack.jeek.org/dec/go?report=8b7aed3a9e6d72e4b11f28a3673cc682296b3d54

Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://ba38c4.topwestsecure.com/download/DistAV_2013_b8.exe
http://www.prevx.com/filenames/975799710197341493-X1/DISTAV_2013_B8%5B1%5D.EXE.html

See: http://www.browserdefender.com/site/topwestsecure.com/
Trend Micro: This URL is currently listed as malicious.

polonus

misak · « **Reply #1 on:** June 04, 2010, 11:10:56 PM »

thank you for detail information, detection and URL block will be in next VPS update

polonus · « **Reply #2 on:** June 08, 2010, 12:29:03 AM »

Hi malware fighters,

Another Polish fake av spreading site: shamanshop*pl

5 instances of it being found up: #

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/nate+berkus+show.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/danny+aiello.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/hostmonster.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/david+gallagher.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/snapgrades+login.html

Two redirects found there: 302 -> htxp://shamanshop.pl/sklep
301 -> hxtp://shamanshop.pl/sklep/
redirecting scheme: htxp://shamanshop.pl/ redirects to hxtp://shamanshop.pl/sklep

htxp://shamanshop.pl/sklep redirects to htxp://shamanshop.pl/sklep/

polonus

polonus · « **Reply #3 on:** June 09, 2010, 10:57:01 PM »

Another one here:
HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=gabe%20saporta%20arrested


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=summer%20jam%202010%20denver


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=mtv%20music%20awards%202010


Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://mygoodoldwebsite.com/ezsee.php?t=dean%20s%20blue%20hole


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=blossom%20music%20center%20website


Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://mygoodoldwebsite.com/ezsee.php?t=ken%20jeong%20wiki


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=us%20open%20tennis%202010%20ticket%20prices


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=blank%20check


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=wakeboard%20sizing


Threat Name:    HTTP Fake AV Redirect Request
Location:    http://mygoodoldwebsite.com/ezsee.php?t=uncle%20phil%20shredder



polonus

polonus · « **Reply #4 on:** June 12, 2010, 11:20:28 PM »

Hi malware fighters, another fake AV redirecting site to include..
2010-06-12 23:14:18 (GMT 1)
Website    schuiling*net
Domain Hash    9c082f0a211d3fc7877cc13d7742c219
IP Address    69.89.22.118
IP Hostname    box118.bluehost.com
IP Country    US (United States)
AS Number    11798
AS Name    BLUEHOST-AS - Bluehost Inc.
Detections    2 / 20 (10 %)

Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=peruvian%20prisons


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=prop%2016%20polling


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=puzzle%20pirates%20forums


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=realm%20status%20addon


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=robert%20mutt%20lange%20and%20marie-anne%20thiebaud


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=strasburg


Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://schuiling.net/qamju.php?on=taboo%20black%20eyed%20peas%20son


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=us%20open%20tennis%202010%20american%20express


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=virtual%20retinal%20display%20pdf


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=world%20cup%20brackets
presents us with a double redirect, after a failure: <urlopen error no host given>
STATUS suspicious...

polonus

Asyn · « **Reply #5 on:** June 12, 2010, 11:24:19 PM »

As always, good work, D. !!
Thanks, friend..!
asyn

Pondus · « **Reply #6 on:** June 12, 2010, 11:26:56 PM »

The Fake scanner is gone, the redirect goes to CNN......

polonus · « **Reply #7 on:** June 12, 2010, 11:28:43 PM »

And another recent one with 55 threats found,

Threat Name:      HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=hood%20county%20texas%20tax%20assessor


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20act


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20law


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=iphone%204%20verizon%20release%20date


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=jaleel%20white%20death


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=liberty%20bell%20facts


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=libertybellbank.com


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=lil%20boosie%20death%20penalty


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=mario%20treadway%20aka%20mc%20souleye


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=mlb%20draft%202010%20rankings

polonus

Pondus · « **Reply #8 on:** June 12, 2010, 11:33:31 PM »

Will also send you to CNN ..... $:-\$

Asyn · « **Reply #9 on:** June 12, 2010, 11:40:58 PM »

Quote from: Pondus on June 12, 2010, 11:33:31 PM

Will also send you to CNN ..... $:-\$

CNN, the new haven of malware..??

asyn

polonus · « **Reply #10 on:** June 12, 2010, 11:44:00 PM »

Well Pondus,

I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42   firtullgone.com/uy/avs.exe   95.211.29.19   hosted-by.leaseweb.com.   fake av   Broupun Banker () / bofjosorupATmaila.com   16265
2010/06/11_07:42   wXw.fast-scanneronline.org/installer.0022.exe   91.188.60.3   -   fake av   Irving Roberson / robersonAThotmail.com   6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09   hibatavay.cn/pr.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   core2979.hibatavay.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   wXw.beautifulsecurityscan.com/ms03/ad   91.212.127.19   -   fake av   Robert Watkins robertwatkinsAThotmailbox.com   49087
2010/06/06_16:37   core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979   173.212.245.90   173-212-245-90.hostnoc.net.   fake av   contactATprivacyprotect.org   21788
2010/06/06_16:37   core2979.davirijan.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753

pol

Pondus · « **Reply #11 on:** June 12, 2010, 11:48:14 PM »

Quote from: Asyn on June 12, 2010, 11:40:58 PM

Quote from: Pondus on June 12, 2010, 11:33:31 PM
Will also send you to CNN ..... $:-\$

CNN, the new haven of malware..??
asyn

Maybe malware news ....

Pondus · « **Reply #12 on:** June 12, 2010, 11:52:48 PM »

Quote from: polonus on June 12, 2010, 11:44:00 PM

Well Pondus,

I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42   firtullgone.com/uy/avs.exe   95.211.29.19   hosted-by.leaseweb.com.   fake av   Broupun Banker () / bofjosorupATmaila.com   16265
2010/06/11_07:42   wXw.fast-scanneronline.org/installer.0022.exe   91.188.60.3   -   fake av   Irving Roberson / robersonAThotmail.com   6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09   hibatavay.cn/pr.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   core2979.hibatavay.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   wXw.beautifulsecurityscan.com/ms03/ad   91.212.127.19   -   fake av   Robert Watkins robertwatkinsAThotmailbox.com   49087
2010/06/06_16:37   core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979   173.212.245.90   173-212-245-90.hostnoc.net.   fake av   contactATprivacyprotect.org   21788
2010/06/06_16:37   core2979.davirijan.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753

pol

jepp. those contained malware. Already collected and submited ......

Asyn · « **Reply #13 on:** June 12, 2010, 11:57:09 PM »

Quote from: Pondus on June 12, 2010, 11:48:14 PM

Maybe malware news ....

Would be news worth to watch..!

asyn

polonus · « **Reply #14 on:** June 13, 2010, 12:14:05 AM »

Hi Asyn,

This is the latest malware craze infected CNN adbanner code

This all in fun, but it is a reality that no code is left alone by the malcreants to scheme another obfuscated injection scheme, the Internet is becoming a scary place for webmaster that want to keep their website's code clean,

polonus

Author Topic: Another fake-av site detected.. (Read 55282 times)

polonus

Another fake-av site detected..

misak

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Asyn

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

Asyn

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

Asyn

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..