Zlob fake codecs in Google Groups

We have seen so many websites and domains serving Zlob fake codecs and rogue anti-malware applications. Now, the gang behind Zlob is using Google Groups to peddle their junk. Google Groups - with poor security measures and moderation - seems to be an ideal place for these Zlob bots to spread their junk. There are numerous fake pages in different sections of Google Groups, and they look just like YouTube pages. Below screen shot shows one such page:

If you click on the video, it takes you either to a fake codec page or to a rogue application page:


Some of the fake codecs are very new and are poorly detected. Hopefully, AV vendors will add the detections very soon.

Read More

DomPlayer - Rogue Multimedia Player

DomPlayer is a new rogue multimedia player on the loose. The gang behind DomPlayer is making use of fake video files (available as torrents) to spread this malware. Such fake video files instruct users to download and install DomPlayer (from http://download.domplayer.com/) to play the file. Here's a screenshot of DomPlayer's webpage:

Obviously this player is a fake and demands user to purchase it during installation. It doesn't install if you don't transfer money to their accounts!

It is detected by few AVs as Adware.Lop.BJ, Busky.K and Virus.Trojan.Win32.Obfuscated.en, as shown in this VirusTotal scan result:

This player seems to be a descendant of 3wPlayer, which also used fake video files as a means to get installed in a PC. In addition to this, DomPlayer is published/promoted by Cash4Downloads. Cash4Downloads is also affiliated with Adware programs like WinZix, 3wPlayer and NetPumper.

Avoid DomPlayer at any cost ;)

Read More

Attack of the Google clones

So far, we have seen many fake pages of sites like PayPal, eBay etc. which were used for phishing purposes. Now, here are some Google-like sites - www.google-find-it.com and www.qooqqle.com - which offer fake/irrelevant search results.

Here's a screenshot of www.google-find-it.com:

The first two results in www.google-find-it.com always redirect to a dubious looking search engine called www.jacobsearch.com.

And, here's a screenshot of funnily named www.qooqqle.com, with a layout similar to that of Google:

The site qooqqle.com seems to be from the same gang which is behind the Spamdexing site www.klikvipsearch.com.

Read More

Nuwar/Storm Worm update!

The gang behind Storm Worm (a.k.a eCard worm) has once again changed their social engineering tactics and also file names. Now, we get a "Psycho Kitty Card" (whatever that means!) instead of plain old eCards:

When we click on the link, we are presented with a fake web page as usual. Along with this, it plays music too!

And in this iteration of Storm Worm, the drive-by-download is back. The PC will be infected with a variant of Tibs Rootkit just by visiting the page. No need to download or click on anything. Now rootkit files are named as noskrnl.exe, noskrnl.sys and noskrnl.config instead of spooldr.exe, spooldr.sys and spooldr.ini,which were prevalent in older versions. Here are some screenshots showing hidden process, SSDT hooks of the rootkit:


Detections for this Storm Worm variant are pretty good. However, to be on the safer side, delete any of the "Psycho Kitty Card" mails that you might have received!

Read More

www.pravingodkhindi.com hacked?!

Pages of www.pravingodkhindi.com – website of renowned Indian flute artist Pravin Godkhindi - have been injected with malicious Javascript. This script tries to load the page stelaartois.ru/index2.php. Here's a screenshot of Privoxy showing webpages that are requested when www.pravingodkhindi.com is opened in a browser:

Here's a screenshot of the injected Javascript:

More information about stelaartois.ru is available here. This hack is probably an old one as the domain stelaartois.ru is inactive now. It redirects to www.sedoparking.com search page, and doesn't drop any malware. However, webmasters at www.pravingodkhindi.com seems to be unaware of this, and the injected code is not yet cleaned!

Read More

More xvgaoke.cn!

In the previous post, we talked about hacked www.myphonegames.co.uk and the malicious site http://xvgaoke.cn. However, MyPhoneGames is not the only one that is hacked to load scripts from http://xvgaoke.cn. This simple Google search query shows more hacked sites, which load scripts and pages from http://xvgaoke.cn. Here's a snapshot of search results:

DShield.org has more information about this, here.

Read More

Myphonegames.co.uk hacked?!

It seems that some pages of a mobile-phone games website www.myphonegames.co.uk have been hacked to execute malicious looking Javascript. As seen from below screenshot, the script http://xvgaoke.cn/1.js is executed when certain links at Myphonegames are clicked:


This script makes use of iframe and loads an HTML page - http://xvgaoke.cn/1.htm:

This HTML page drops a file named Ntdetect.exe to the root drive:

However, Ntdetect.exe is not actually an executable but it's an HTML file:

This surely is a drive-by-download attempt to drop malware. Even though files that are dropped as of now are non-malicious, this can change at anytime and malicious files can be dropped without knowledge of the user! Finally, here's what Google says about http://xvgaoke.cn:

Read More

The netadv - fake toolbar from Zlob

Gang behind Zlob malware has come up with one more smart way to trick PC users into downloading rogue anti-spyware applications and to make (more) money!

This toolbar, known as The netadv, offers various (fake) features like pop-up blocking, system security test, spyware scan, spam protection etc. Here are some screenshots of this toolbar:


All these toolbar buttons point to various rogue sites which push rogue anti-spyware applications. You are guaranteed to get new applications on almost each click! This fake toolbar also warns us about "possible" adware and spyware infection whenever we visit some "suspicious" sites. Here's one such warning issued by toolbar for Microsoft website;)

So, what happens when we click on "Click Here" link? As you might have guessed, we are taken to some randomly named rogue anti-spyware application's website:

At the time of this writing, detections for The netadv toolbar files are poor. Some info about this malware can be found here. Hopefully detections for this malware will improve soon! If your PC is infected with this malware, you may go through the CastleCops Malware Removal And Prevention to get rid of this.

Read More

SystemErrorFixer and fake system shutdown warning

SystemErrorFixer (www(dot)systemerrorfixer(dot)com) is a relatively new addition to the huge family of rogue anti-spyware software. However, the website uses a little different technique to "force" a PC user to download their tool. When the rogue website is visited, we are greeted with a message box which initiates a 30 seconds countdown to shutdown the system. This is reminiscent of the system shutdown messages of Blaster worm. To avoid the shutdown, we are forced to download a "Prevention Tool". Here's a screenshot:

Nothing happens when the counter reaches zero ;)

Read More

Spot The Not!

Here's small comparison between fake and real PayPal login pages. Spot the phishers!

Read More

Hacked Indian university site serving malware

We have seen many cases wherein US University websites (.EDU) are hacked and made to serve malware and other junk (info here, here)! Now, gang behind those hacking incidents has targeted few Indian University websites too. One "fine" example is www(dot)mlncollegeynr(dot)ac(dot)in, which is the website of Mukand Lal National College, Yamunanagar, Haryana, India. Here's a screenshot of Google search results for this site:

Those entire dubious webpages link to various other rogue sites such as fake search engines, rogue antispyware pushers, Zlob malware installers etc. Here's one such rogue site, reached from links present in hacked college site:

It seems that, Klik gang (info here (pdf)) is responsible for this. But, sadly this seems to be the second time the college’s site is being hacked. First one happened around April 2007, as evident from this site:

Concerned college authorities have informed by email, however haven't heard anything from them yet. Let's hope they will clean up the mess!

Read More

Rogue application pretends as Microsoft Antispyware

So far, we have seen various rogue anti-spyware applications doing rounds of the Internet. However, here's one such rogue application that needs to be mentioned! Because, the website that pushes this rogue application calls itself as "Microsoft Antispyware Center"! Layout of this website is identical to old rogue applications like SpyShredder, MalwareMonitor etc. Here's a screenshot of the website:


Not to mention, the "Online Security Scanner" is fake too. The online scanner "detects" few "high" rated threats and urges to remove them all.


And, when a user clicks on "Remove All", a file named Setup.exe hosted at www(dot)liveupdatesnet(dot)com (do NOT visit this site), will be prompted for download.



And, the authors of this rogue application have paid attention to small details like setting the "Company" attribute in file properties to "Microsoft".


Fortunately, this piece of malware is detected pretty well by AVs. Here's a VirusTotal scan result:

Read More

SysProt AntiRootkit v1.0.0.5 Beta Released!

SysProt AntiRootkit v1.0.05 is out! This new version contains IRP Hooks detection feature and also various other improvements, bug fixes etc. IRP Hooks detection may come handy as some of the new Rootkits are utilizing this technique. One such example is Win32/Cutwail trojan, which hooks IRP_MJ_DEVICE_CONTROL of Tcpip.sys driver.

Here's an overview of SysProt AntiRootkit v1.0.0.5 features:
Hidden process detection and removal
Hidden drivers detection
SSDT Hooks detection and removal
Kernel Inline hooks detection and removal
IRP hooks detection
Sysenter Hook detection
TCP/UDP Ports Info
File System browser
Hidden Services Registry keys detection and removal

SysProt AntiRootkit can be downloaded from here.

Supported OS: Windows 2000/XP/2003

Here are some screen shots:
IRP Hooks:


SSDT Hooks:


Processes:


Hidden Services Registry keys:


Kernel Hooks:

Read More

Nuwar's new avatar!

The ecard worm – also known as Nuwar, Storm Worm, W32/Zhelatin – has changed its strategy again. Now, the gang behind ecard worm is trying to encash the NFL fever. Here's a screenshot of the latest ecard spam mail:



As we can see, the mail claims to provide details about NFL football games. And, when we visit the link given in mail, we are presented with a fake webpage that shows schedules of NFL games. Here's a screenshot of one such webpage:



Surprisingly, there's no drive-by-download this time! But ALL hyperlinks present in that page point to a file named tracker.exe.

The file tracker.exe seems to be slightly different from the old variants (ecard.exe, video.exe etc.) and detections are poor at the time of this writing. Only 9 out of 32 AVs at VirusTotal managed to detect this malware:

File tracker.exe received on 09.08.2007 22:46:16 (CET)
CAT-QuickHeal --- (Suspicious) - DNAScan
eSafe --- Suspicious Trojan/Worm
eTrust-Vet --- Win32/Sintun.AF
F-Secure --- Tibs.gen134
Microsoft --- TrojanDropper:Win32/Nuwar.gen!avkill
Norman --- Tibs.gen134
Sophos --- Mal/Dorf-D
Sunbelt --- VIPRE.Suspicious
Webwasher-Gateway --- Win32.Malware.gen (suspicious)

Additional information
File size: 140521 bytes
MD5: 814fe2cdd86e01a5369def9cd9a13458
SHA1: 4cb7ad77d79286911b1c82c548d7f9e0dcda88d1
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Tracker.exe, on execution, drops spooldr.exe, spooldr.sys and also patches tcpip.sys in a similar way as mentioned in a previous post here.

Read More

ecard worm turns to YouTube

Ecard worm has changed its social engineering tactics again. Now, links in mails appear as a link to YouTube video. But, they actually point to infected systems. Here are some screenshots showing an example of such mail, and the fake website:


Also, the filename's changed from ecard.exe to sony.exe and/or video.exe.

Read More

Vivacodec - Zlob's new fake codec

Zlob gang has modified their fake codec malware once again! Now, it's vivacodec, hosted at www.vivacodec.com (do NOT visit that website). Similar to the old ones, this new fake codec drops a rootkit. This rootkit uses Winlogon\System subkey to load itself during system startup. Here are the screenshots of rootkit's Registry entry, and hidden file as detected by RootkitRevealer:


Anti-Rootkit tools like F-Secure BlackLight or AVG Anti-Rootkit can be used to automatically remove the rootkit.

Read More