Another fake-av site detected..

[Asyn]

...the Internet is becoming a scary place for webmaster that want to keep their website's code clean,

I know that only too well.
asyn

[polonus]

Hi malware fighters,

Another one reported here:
Website    westernwinds.net
Domain Hash    f75afbc2b730096197625b5e49c7a496
IP Address    66.96.130.112 [SCAN]
IP Hostname    112.130.96.66.static.eigbox.net
IP Country    US (United States)
AS Number    29873
AS Name    BIZLAND-SD - The Endurance International Grou...
Detections    2 / 18 (11 %)
Status    SUSPICIOUS

Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=obama%20address%20to%20students%20transcript

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=pic%20hunter

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=rick%20rubin%20myspace

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20crossword

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20newspaper

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=spirit%20airline%20strike

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=svk

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://westernwinds.net/fevcf.php?topic=swype%20for%20iphone

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=tony%20award%20winners%202009

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://westernwinds.net/fevcf.php?topic=watch%20true%20blood%20online%20for%20free%20streaming

Redirecting to cnn.com again
Here is where it happens

Code: [Select]

info: [decodingLevel=1] found JavaScript
     error: line:4: SyntaxError: missing ] after element list:
          error: line:4:      [native code]
          error: line:4: ................^
polonus

   

[polonus]

Hi malware fighters,

A recent list from Malware Domain List for fake av:
http://www.malwaredomainlist.com/mdl.php?search=fake+av&colsearch=All&quantity=50

One example given in here: spinpoll.com/iuqdx/qttbbm.php?ff=826284
results
http://scanner.novirusthanks.org/analysis/561d310ada76abefafa70c2afb1f7a10/cXR0YmJtLnBocA==/
http://wepawet.iseclab.org/view.php?hash=0372e8bf9a1d75e118b18830d4ea85fb&t=1276780197&type=js

Triggered code has been made unobtrusive and is legit here,
but the ways in which it can be exploited are obvious,
read: http://www.alstevens.co.uk/a-less-obtrusive-google-analytics-script/
How it recently was exploited read here: http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/

polonus

[polonus]

Hi malware fighters,

Here is a report about the way the malware is being injected via cross site scripting:
http://cyberinsecure.com/high-ranking-websites-spread-malware-through-cross-site-scripting-vulnerabilities/
It’s embedding iframes to redirect and

  [=/quote]The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5.eu (do not visit, see: http://www.siteadvisor.com/sites/ask5.eu ), and 1 suspicious inline script found, for this script see: http://jsunpack.jeek.org/dec/go?report=b413e5b967fa38a1d2dea332d601417ac034c41d   with a undefined function parent.location.replace
to an apparent pr0n site...

A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.

While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.

The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below): http://cyberinsecure.com/wp-content/uploads/2009/12/xss.png (click to enlarge)
[=/quote]

polonus

[polonus]

Fake AV,

A good read-up on the subject can be found here: http://www.usenix.org/event/leet10/tech/full_papers/Rajab.pdf
(advized by Google coders)

polonus

[polonus]

Hi malware fighters,

Another fake av site detected: versusspywareguard.com
Threat Name:      HTTP Fake Antivirus WebPage Request 2
Location:    htxp://6de46b37e.versusspywareguard.com/stream1/cacnpr/fhlcnalhnd/fcllfmfhdl.html

   
Threat Name:    HTTP Fake Antivirus WebPage Request 2
Location:    htxp://0639945.versusspywareguard.com/stream1/cafm/phddqcmrcc/fcllfmfral.html

Another source to look at from secubox labs: http://internetpol.fr/mw/

polonus

[polonus]

Hi malware fighters,

Another fake av site:rodaco.org
Domain Hash    94f43071befdbcaf02482e09e2a7a3ef
IP Address    66.96.131.89 [SCAN]
IP Hostname    89.131.96.66.static.eigbox.net
IP Country    US (United States)
AS Number    29873
AS Name    BIZLAND-SD - The Endurance International Group

:
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://rodaco.org/vlruf.php?pageid=april%20fools%20day%20history

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=auhsd

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=cesar%20chavez%20biography

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=fledgling%20foundation

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://rodaco.org/vlruf.php?pageid=siohvaughn%20wade%20std

polonus

   

[polonus]

Hi malware fighters,

And another one of the fake av drive-by-downloads detected here:


Threats found: 6
Here is a complete list:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=7+11+locator

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=anthony+morrow

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=dani+jarque

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=dream+15

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://angrystot.com/press/?showc=flugtag

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://angrystot.com/press/?showc=gary+air+show

polonus   

 

[polonus]

Hi malware fighters,

Another one from Moldova:
 Threats found: 58
Here a sample of them:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=baby-shower-4u.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=bluehillsmoto.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=comnicity.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=donsrcmodels.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=earlsauction.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=helix-x.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kalpulli.org&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=marylandvisiontherapy.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

   
    Virus
Threats found: 1 Analyzed this trojan further below...
Here is a complete list:
Threat Name:    Downloader  avast detects as Win32:Downloader-ECU now as Win32:Downloader-ECU [Trj]
Location:    htxp://zhengshu.osa.pl/zhengshu/zhengshuw.exe    (other file is zhengshu.exe)
Infected with Mal/Downldr-AL
经过扫描，其中 0/6 款杀毒软件检测到zhengshuw[1].exe 含有病毒木马及可疑风险! ... 文件百科提供的内容不够完善？立即去论坛讨论zhengshuw[1].exe >>
htxp://58.251.57.206/down?cid=3D228BFFBDF06C63A04E66BA3D14FB880FE1E892&t=2&fmt=&usrinput=%E6%9A%B4%E9%A3%8E%E5%BD%B1%E9%9F%B3&dt=2018000&ps=0_0&rt=0kbs&plt=0&spd=9
Is in this list: http://malwarepatrol.com.br/cgi/submit?action=list_mcf
http://www.prevx.com/filenames/719191126558992567-X1/ZHENGSHU.EXE.html
and
http://scanner.novirusthanks.org/analysis/35d82b779d33dd59129769d614465b86/emhlbmdzaHV3LmV4ZQ==/

See: http://wepawet.iseclab.org/view.php?hash=40910560e9eb16905f511b33a1355c7f&t=1279382964&type=js
and
http://www.virustotal.com/analisis/9469a349c50038c798801a0ba64d42f5e8c699c62a37c3d06f23db905e848018-1279279124

pol



   

 

[polonus]

Hi malware fighters,


       Drive-By Downloads   

Threats found: 25
Here is a sample:
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=roy%20williams%20youtube

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=s1%20homes

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=schnepf%20farms%20twitter

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=sertraline%20and%20alcohol

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20ep%201

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20tv

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=stella%20marie%20ray

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=watch%20one%20piece

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://barbolafuneralchapel.com/cbyrt.php?off=world%20cup%20finals

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://barbolafuneralchapel.com/cbyrt.php?off=www.applegiftgiveaway.info

Might have been removed!

polonus
   

 

[polonus]

Hi malware fighters,

Another one here:  Threats found: 1
Here is a complete list:
Threat Name:    Trojan.FakeAV
Location:    htxp://trafok.in/modulesetup70700.exe

A dangerous website according to several sources: http://www.urlvoid.com/scan/trafok.in
Mazilla found this:
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
With the avast shield that gave a JS:ScriptDC-inf[Trj] warning for a malware download,

And another one here:
hreat Name:      HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=charlie%20wilsons%20war%20wiki

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=cydia%20ipad

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=dickssportinggoods%20application

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=endhiran%20trailer

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=jailbreakme%202010

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=kristen%20mcmenamy%20gray%20hair

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20imdb

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20movies

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=the%20joe%20schmo%20show

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://utu974.com/sgfsj.php?on=yani%20tseng%20caddie

   See: http://www.urlvoid.com/scan/utu974.com


polonus

[Pondus]

VirusTotal - modulesetup70700.exe - 11/42
http://www.virustotal.com/analisis/ef3df69693dc5906ee2b88e4ae134ff74eeb99298d19c27bde9367ef05cf8260-1281125582

and it is already in avast inbox.....

[polonus]

Hi malware fighters,

Another one here:
Threat Name:      HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=care%20credit%20providers

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=dickssportinggoods%20in%20store%20coupons

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=ernesto%20miranda%20grave

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=hansen%20clarke%20michigan

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=haskell%20invitational%20monmouth%20park

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=mine%20lyrics

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=quintuplets%20blog

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://wisneski.net/woaoc.php?a=quintuplets%20dionne

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://wisneski.net/woaoc.php?a=santa%20monica%20college%20nursing

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    hxtp://wisneski.net/woaoc.php?a=unigo%20emory

Re: http://www.urlvoid.com/scan/wisneski.net

polonus

   

 

[iRonzel]

One more for your collection:

fotonpl.co.cc/a/exe.exe

[iRonzel]

The family form the above post:

fotonpl.co.cc/a/l.php