Author Topic: Another fake-av site detected..  (Read 55149 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #30 on: August 22, 2010, 11:33:18 PM »
Hi malware fighters,

Another fake av detected here: Threat Name:      Trojan.FakeAV  avast detects as Win32:Trojan-gen
Location:    htxp://abodeflash-vol33.co.tv/om/ms.php
The site is infested with Mal/FakeAV-CX
Re: http://www.threatexpert.com/report.aspx?md5=57b1187f07968de0f2e203b70d972c5f
Chinese security info on this malcode: http://www.antivirus365.org/PCAntivirus/14112.html
http://vscan.urlvoid.com/analysis/670d26f0bda43fba8d3bdbf7f3442ffa/bXMtcGhw/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #31 on: September 03, 2010, 09:19:22 PM »
Hi another fake-av here:

 Total threats found:    Drive-By Downloads

Threats found: 27
e.g.
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=seamless%20web%20backgrounds

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=sean%20foley%20swing%20coach

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=showboat%20texas%20city

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=sonoma%20state%20university%20jobs

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=superhead%20video%20vixen%20book

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=ted%20stevens%20international%20airport

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=ted%20stevens%20wiki

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=trevor%20ariza%20nba

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=true%20blood%20season%203%20episode%208%20megavideo

   
Threat Name:    HTTP Fake AV Redirect Request
Location:    htxp://alamito.com/swwrz.php?m=west%20end%20shows

   
polonus
 
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #32 on: March 18, 2011, 07:39:49 PM »
Detected e.g.: htxp://trafficplaza.co.uk/images/images/media/msg=8044.html
infected with JS/Tenia.b
and  366 other threats on mentioned domain:
See: http://www.virustotal.com/url-scan/report.html?id=3a6bb172f4a466cd37ef42c6fb8b827d-1300468922
See: http://www.virustotal.com/file-scan/report.html?id=9b11d70c2b1fccb35ad61f79529a2696a06f1d4b86cf1575c59ea3a78ef3a40f-1300472576
Unmasked parasites gives: Last time suspicious content has been found at this site, was on 2011-03-15.
Malicious software includes 8 scripting exploits.
This generic detection covers obfuscated scripts in which malicious iFrames is appended to the end of a HTML page, i.e. after the < /HTML > tag.
Malicious software has been hosted on 1 domain, e.g. clint-eastwood dot cn/.

This site was hosted on 1 network including AS29671 (SERVAGE),

computer symptoms upon infection are:
Unexpected connection to the unsafe domains frequently,
New added Registry keys files detailed or Registry modification,
System always crash for no man-made reason at all,
The memory of your System reduces unusually,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #33 on: March 25, 2011, 10:02:43 PM »
This one is not being detected, see over one hundred instances of Fake AV Website 5,
see: http://safeweb.norton.com/report/show?name=kylesheart.com
scanned this one at virustotal: htxp://kylesheart.com/zcobm.php?on=tekstovi%20pjesama
accompanying file scan: http://www.virustotal.com/file-scan/report.html?id=674faded451ce38bea28854cb4b4eb3790cd728dcc02b4eff07e181e9f511b68-1301086476
also see: http://safeweb.norton.com/buzz

polonus
« Last Edit: March 26, 2011, 12:43:17 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #34 on: April 10, 2011, 10:30:48 PM »
Hi folks,

Another fake-av not detected by avast, resides here: htxp://ksu-antispyware.co.cc/fast-scan/
Detected here: http://www.virustotal.com/url-scan/report.html?id=7069774e14deabae6eaade4b11b85163-1302459072
file analysis,  3/ 42 (7.1%)
http://www.virustotal.com/file-scan/report.html?id=4536e20094bf07f94b28f9892997ea339387fb3fc4e0713e50c8793c0f873caf-1302466596
See Wepawet analysis: benign, but has a big hunk of obfuscated code,
ksu-antispyware.co.cc/fast-scan/
This online html scrambler obfuscater was being used: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Another fake-av site detected..
« Reply #35 on: April 10, 2011, 11:37:12 PM »
Hi folks,

Further info on:  htxp://ksu-antispyware.co.cc/fast-scan/
Initially most likely "TROJAN.HTML.FRAUD!IK" will not appear because it is in IE temp. location,
but it will reveal itself with the proper cleansing routine...

Detected here by both Emisift and Ikarus, see: http://vscan.urlvoid.com/analysis/b76bcbe66e85fda63615359905b06bdc/ZmFzdC1zY2Fu/

Site is blacklisted here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ksu-antispyware.co.cc
and here as infected with Fake App Attack: Fake AV Notification Alert:
http://safeweb.norton.com/report/show?url=ksu-antispyware.co.cc

pol
« Last Edit: April 11, 2011, 12:06:23 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Krelnadi

  • Guest
Re: Another fake-av site detected..
« Reply #37 on: April 14, 2011, 12:42:19 AM »
New variants for the Antispy2011setup.exe

htxp://protectinstallxpvirusnow.com
htxp://protectxpscanvirus.com


Both are redirected from ads and Avast does not detect them. ran into it twice on 2 seperate websites
« Last Edit: April 14, 2011, 12:48:14 AM by Krelnadi »

spg SCOTT

  • Guest
Re: Another fake-av site detected..
« Reply #38 on: April 14, 2011, 02:01:13 AM »
I get a 404 on both of those...

Do you have the files, to add to the chest and send to avast?

Krelnadi

  • Guest
Re: Another fake-av site detected..
« Reply #39 on: April 14, 2011, 02:05:54 AM »
The sites may have been brought down or changed.

When i got redirected to the site i got a prompt if i want to run or save Antispy2011setup.exe after it did the fake virus scan.

spg SCOTT

  • Guest
Re: Another fake-av site detected..
« Reply #40 on: April 14, 2011, 02:09:28 AM »
Exactly, and it is that file that is necessary for avast to get so that they can detect it...

Yes, blocking the site is all well and good, but give it a few hours and they have most likely moved on...but without the install file for this rogue, how will it be detected...

iRonzel

  • Guest
Re: Another fake-av site detected..
« Reply #41 on: April 14, 2011, 02:16:35 AM »
Exactly, and it is that file that is necessary for avast to get so that they can detect it...

Yes, blocking the site is all well and good, but give it a few hours and they have most likely moved on...but without the install file for this rogue, how will it be detected...

voting in avast! Web Rep  :)

and hope an avast! Virus Researcher may do the job.

Krelnadi

  • Guest
Re: Another fake-av site detected..
« Reply #42 on: April 14, 2011, 02:19:43 AM »
I was going to save the file to send it, but was not sure if it would self execute after it was saved.

spg SCOTT

  • Guest
Re: Another fake-av site detected..
« Reply #43 on: April 14, 2011, 12:36:19 PM »
I was going to save the file to send it, but was not sure if it would self execute after it was saved.

Ok, sorry, my comment did seem rather offhand...I would actually be inclined not to encourage users not to try and get the file unless they really know what they are doing...

The best thing to do would be to report the site while it is still active, which would then allow those who are comfortable to get the file. :)

Dieselman

  • Guest
Re: Another fake-av site detected..
« Reply #44 on: April 14, 2011, 12:46:00 PM »
Malware writers recode everyday. There is no real purpose in posting this stuff. you can find all your malware links here.

http://malc0de.com/database/

http://www.malwaredomainlist.com/