Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 26 January 2009

New rogue: IE-Security

Posted on 06:29 by Unknown
IE-Security is new rogue software that belongs to IEDefender family. The IE-Security installer, ie.exe, is hosted at 216.240.151.112 and http://ie-security.com (216.240.151.135). The user-interface of IE-Security is a rip-off of Microsoft Windows Defender.


VirusTotal scan result of IE-Security installer can be found here. By the way, people at IE-Security provide 27x7 support ;)


Files dropped by IE-Security installer:
%PROGRAMFILES%\IE-Security\ies.s1
%PROGRAMFILES%\IE-Security\ies.s2
%PROGRAMFILES%\IE-Security\ies.s3
%PROGRAMFILES%\IE-Security\ies.s4
%PROGRAMFILES%\IE-Security\iescan.exe
%PROGRAMFILES%\IE-Security\uninstall.exe
%USERPROFILE%\Desktop\IE-Security.lnk
%USERPROFILE%\Start Menu\Programs\IE-Security.lnk

where,
%PROGRAMFILES% is \Program Files\ directory in root-drive,
%USERPROFILE% is \Documents and Settings\UserName\ directory in root-drive.

Registry keys created by IE-Security installer:
HKEY_CURRENT_USER\Software\IE-Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "IE-Security"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE-Security

Read More
Posted in | No comments

AntiSpyware 2009 and AntiSpywareBOT: Neighbours in crime!

Posted on 02:38 by Unknown
Well, 590-B Schillinger Rd. South, Mobile, Al, 36695 seems to be the John Doe of addresses. Recently ParetoLogic blog posted about the address of the makers of rogueware AntiSpyware 2009. It seems that the headquarters of 2Squared, makers of rogueware AntiSpywareBOT, is also located in the same street. Even these guys have got a high-tech, high-profile CGI office ;)

Read More
Posted in | No comments

Saturday, 17 January 2009

Fake Obama websites spreading malware

Posted on 10:53 by Unknown
Similar to eCard spam mails, we are now seeing US president-elect Barack Obama themed mails which contain links to fake websites. These sites host a malicious executable and this malware belongs to the same old Storm/Waledac family. One such mail and a fake website (http://donate.superobamadirect.com) are shown in following screenshots:




These fake sites are hosted using fast flux DNS technique - a typical method used by Storm botnet. It can be seen from the following screenshot that the IP address keeps changing frequently:


VirusTotal scan result of the malware can be found here. An automated analysis by ThreatExpert can be found here.
Read More
Posted in | No comments

Wednesday, 7 January 2009

Fake eCard updates

Posted on 11:50 by Unknown
Fake eCard spam mails continue to circulate even after the new-year excitement is settled down. As usual, these mails contain links to downloadable fake greeting cards that are generally named "card.exe" or "postcard.exe".


When executed, these malicious executables turn your PC into a zombie machine that becomes a part of Storm/Waledac botnet (more information can be found here and here).


Newer variants of fake eCard executables (hosted at http://topgreetingsite.com - do NOT visit that site! ) are not detected by many AVs as of now (as seen in VirusTotal scan here). An automated analysis of this file is available at ThreatExpert here.
Read More
Posted in | No comments

Tuesday, 6 January 2009

SysProt AntiRootkit v1.0.0.8 released

Posted on 09:49 by Unknown
A few key improvements were made in driver detection and disabling mechanisms, and hence here's the latest version of SysProt AntiRootkit :) The SysProt AntiRootkit v1.0.0.8 successfully detects and removes Zlob rootkits (TDSServ or Alureon family).

Similar to the steps followed in the case of GMER (as mentioned in the previous post), SysProt AntiRootkit requires two reboots to completely remove rootkit driver and its Registry entry. Following screenshots show SysProt AntiRootkit detecting Zlob rootkit driver and injected DLL:



Steps to remove Zlob rootkit driver:
  • Run SysProt AntiRootkit v1.0.0.8 and click "Kernel Modules" tab.
  • SysProt AntiRootkit shows rootkit/hidden drivers in red color. Click on the rootkit driver's entry and the click "Disable"
  • Reboot the PC
  • Repeat steps 1 to 3 (SysProt AntiRootkit will detect the same rootkit driver again)
Now, all the malicious files dropped by Zlob should be unrooted and hence "visible" to standard anti-malware scanners.

More information, changelog and download link for SysProt AntiRootkit v1.0.0.8 can be found at following locations:
MajorGeeks
Softpedia
SysProt AntiRootkit primary download page

Feedbacks are welcome :)
Read More
Posted in SysProt AntiRootkit, TDSServ rootkit removal, Zlob rootkit | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Ax Video Plugin
    Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Vide...
  • Spyware Guard 2008
    Spyware Guard 2008 is a new rogue application. Does that name sound familiar? Well, yes, there is a legitimate application named SpywareGuar...
  • Javacool EULAlyzer!
    Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read ...
  • Zlob brings back fake MP3s!
    Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here ). Afterwards, we started to see m...
  • Myphonegames.co.uk hacked?!
    It seems that some pages of a mobile-phone games website www.myphonegames.co.uk have been hacked to execute malicious looking Javascript. A...
  • twitcurl - C++ twitter API library
    twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be upd...
  • DomPlayer - Rogue Multimedia Player
    DomPlayer is a new rogue multimedia player on the loose. The gang behind DomPlayer is making use of fake video files (available as torrents)...
  • Some new malware - a.exe, gop.exe etc
    We have some "new" malware this time, ranging from trojans to rootkits. One of them is a trojan which detected by some of the AVs ...
  • ThinkPoint rogue antivirus
    ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. ...
  • Removing Mailbot.AZ (aka Rustok.A) Rootkit
    Mailbot.AZ (also known as PE386 or Rustock.A) is a kernel mode rootkit backdoor virus. It contains only one file-its driver-and it is stored...

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ▼  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ▼  January (5)
      • New rogue: IE-Security
      • AntiSpyware 2009 and AntiSpywareBOT: Neighbours in...
      • Fake Obama websites spreading malware
      • Fake eCard updates
      • SysProt AntiRootkit v1.0.0.8 released
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ►  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ►  October (9)
    • ►  September (2)
    • ►  August (8)
    • ►  July (11)
    • ►  June (3)
    • ►  March (2)
  • ►  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ►  February (2)
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile