Author Topic: Another fake-av site detected..  (Read 56148 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Another fake-av site detected..
« on: June 04, 2010, 09:37:53 PM »
Hi malware fighters,

Fake-av found here:
Here is a complete list:

Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://052a55.topwestsecure.com/download/DistAV_2013_b8.exe

   
Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://f1e0c0.topwestsecure.com/download/DistAV_2013_b7.exe
Re: http://www.virustotal.com/analisis/f8ae332e594ad0ac2dcec58a9f3ad0f831b6d62ee4c0e0300d8df81e8548adde-1275605281
See: htxp://jsunpack.jeek.org/dec/go?report=8b7aed3a9e6d72e4b11f28a3673cc682296b3d54
   
Threat Name:    Trojan.FakeAV!gen24
Location:    htxp://ba38c4.topwestsecure.com/download/DistAV_2013_b8.exe
http://www.prevx.com/filenames/975799710197341493-X1/DISTAV_2013_B8%5B1%5D.EXE.html

See: http://www.browserdefender.com/site/topwestsecure.com/
Trend Micro: This URL is currently listed as malicious.

polonus
« Last Edit: June 04, 2010, 09:48:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: Another fake-av site detected..
« Reply #1 on: June 04, 2010, 11:10:56 PM »
thank you for detail information, detection and URL block will be in next VPS update

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #2 on: June 08, 2010, 12:29:03 AM »
Hi malware fighters,

Another Polish fake av spreading site: shamanshop*pl

5 instances of it being found up: #

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/nate+berkus+show.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/danny+aiello.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/hostmonster.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/david+gallagher.html
#

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/snapgrades+login.html

Two redirects found there: 302 -> htxp://shamanshop.pl/sklep
                                       301 -> hxtp://shamanshop.pl/sklep/
redirecting scheme: htxp://shamanshop.pl/ redirects to hxtp://shamanshop.pl/sklep

htxp://shamanshop.pl/sklep redirects to htxp://shamanshop.pl/sklep/

polonus
« Last Edit: June 08, 2010, 12:45:14 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #3 on: June 09, 2010, 10:57:01 PM »
Another one here:
HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=gabe%20saporta%20arrested

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=summer%20jam%202010%20denver

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=mtv%20music%20awards%202010

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://mygoodoldwebsite.com/ezsee.php?t=dean%20s%20blue%20hole

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=blossom%20music%20center%20website

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://mygoodoldwebsite.com/ezsee.php?t=ken%20jeong%20wiki

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=us%20open%20tennis%202010%20ticket%20prices

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=blank%20check

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://mygoodoldwebsite.com/ezsee.php?t=wakeboard%20sizing

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    http://mygoodoldwebsite.com/ezsee.php?t=uncle%20phil%20shredder

   

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #4 on: June 12, 2010, 11:20:28 PM »
Hi malware fighters, another fake AV redirecting site to include..
2010-06-12 23:14:18 (GMT 1)
Website    schuiling*net
Domain Hash    9c082f0a211d3fc7877cc13d7742c219
IP Address    69.89.22.118
IP Hostname    box118.bluehost.com
IP Country    US (United States)
AS Number    11798
AS Name    BLUEHOST-AS - Bluehost Inc.
Detections    2 / 20 (10 %)


Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=peruvian%20prisons

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=prop%2016%20polling

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=puzzle%20pirates%20forums

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=realm%20status%20addon

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=robert%20mutt%20lange%20and%20marie-anne%20thiebaud

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=strasburg

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://schuiling.net/qamju.php?on=taboo%20black%20eyed%20peas%20son

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=us%20open%20tennis%202010%20american%20express

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=virtual%20retinal%20display%20pdf

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://schuiling.net/qamju.php?on=world%20cup%20brackets
presents us with a double redirect, after a failure: <urlopen error no host given>
STATUS suspicious...

polonus

   
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76028
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another fake-av site detected..
« Reply #5 on: June 12, 2010, 11:24:19 PM »
As always, good work, D. !!
Thanks, friend..!
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37645
  • F-Secure user
Re: Another fake-av site detected..
« Reply #6 on: June 12, 2010, 11:26:56 PM »
The Fake scanner is gone, the redirect goes to CNN...... ???

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #7 on: June 12, 2010, 11:28:43 PM »
And another recent one with 55 threats found,

Threat Name:      HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=hood%20county%20texas%20tax%20assessor

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20act

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20law

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=iphone%204%20verizon%20release%20date

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=jaleel%20white%20death

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=liberty%20bell%20facts

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=libertybellbank.com

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=lil%20boosie%20death%20penalty

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=mario%20treadway%20aka%20mc%20souleye

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://skepticalatheist.com/luwhp.php?on=mlb%20draft%202010%20rankings

polonus

   

  

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37645
  • F-Secure user
Re: Another fake-av site detected..
« Reply #8 on: June 12, 2010, 11:33:31 PM »
Will also send you to CNN ..... :-\    ???

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76028
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another fake-av site detected..
« Reply #9 on: June 12, 2010, 11:40:58 PM »
Will also send you to CNN ..... :-\    ???

CNN, the new haven of malware..?? ;D
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #10 on: June 12, 2010, 11:44:00 PM »
Well Pondus,

I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42   firtullgone.com/uy/avs.exe   95.211.29.19   hosted-by.leaseweb.com.   fake av   Broupun Banker () / bofjosorupATmaila.com   16265
2010/06/11_07:42   wXw.fast-scanneronline.org/installer.0022.exe   91.188.60.3   -   fake av   Irving Roberson / robersonAThotmail.com   6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09   hibatavay.cn/pr.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   core2979.hibatavay.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   wXw.beautifulsecurityscan.com/ms03/ad   91.212.127.19   -   fake av   Robert Watkins robertwatkinsAThotmailbox.com   49087
2010/06/06_16:37   core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979   173.212.245.90   173-212-245-90.hostnoc.net.   fake av   contactATprivacyprotect.org   21788
2010/06/06_16:37   core2979.davirijan.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753

pol
« Last Edit: June 12, 2010, 11:47:53 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37645
  • F-Secure user
Re: Another fake-av site detected..
« Reply #11 on: June 12, 2010, 11:48:14 PM »
Will also send you to CNN ..... :-\    ???

CNN, the new haven of malware..?? ;D
asyn

Maybe malware news .... ;D
« Last Edit: June 12, 2010, 11:53:26 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37645
  • F-Secure user
Re: Another fake-av site detected..
« Reply #12 on: June 12, 2010, 11:52:48 PM »
Well Pondus,

I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42   firtullgone.com/uy/avs.exe   95.211.29.19   hosted-by.leaseweb.com.   fake av   Broupun Banker () / bofjosorupATmaila.com   16265
2010/06/11_07:42   wXw.fast-scanneronline.org/installer.0022.exe   91.188.60.3   -   fake av   Irving Roberson / robersonAThotmail.com   6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09   hibatavay.cn/pr.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   core2979.hibatavay.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753
2010/06/06_21:09   wXw.beautifulsecurityscan.com/ms03/ad   91.212.127.19   -   fake av   Robert Watkins robertwatkinsAThotmailbox.com   49087
2010/06/06_16:37   core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979   173.212.245.90   173-212-245-90.hostnoc.net.   fake av   contactATprivacyprotect.org   21788
2010/06/06_16:37   core2979.davirijan.cn/d_advare_all.cgi?id=2979   188.72.225.187   city2007.com.   fake av   hahadelegeAT126.com   28753

pol
jepp. those contained malware. Already collected and submited ...... ;)
« Last Edit: June 13, 2010, 12:05:21 AM by Pondus »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76028
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another fake-av site detected..
« Reply #13 on: June 12, 2010, 11:57:09 PM »
Maybe malware news .... ;D

Would be news worth to watch..! ;D
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Another fake-av site detected..
« Reply #14 on: June 13, 2010, 12:14:05 AM »
Hi Asyn,

This is the latest malware craze infected CNN adbanner code  ;D
This all in fun, but it is a reality that no code is left alone by the malcreants to scheme another obfuscated injection scheme, the Internet is becoming a scary place for webmaster that want to keep their website's code clean,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!