ATTENTION! Dangerous (BOGUS)AntiVirus Site

Hello. Just an Alert I want to bring to Members Attention, and this may quite innocently happen to anyone looking for AntiVirus Reviews.

Just a few moments ago I searched for "TOP RATED ANTIVIRUS" by using Windows Live Search, and a link to BEST RATED ANTIVIRUS SOFTWARE appears on one of the first links. This link has a preview stating Kaspersky Anti-Virus is the best, and a web address claiming to be pandacomputer, easily mistaken for pandasoftware (Panda AntiVirus) but its not!

DO NOT UNDER ANY CIRCUMSTANCES ATTEMPT TO CLICK THIS LINK! This will tell you the page cannot be viewd without the windows media plugin. This is BULLSHIT! Immediately you will be swamped by Trojans galore trying if not succeeding in installing **** on your PC I clicked on it to look what it said, and Avira Security Suite and Spy Sweeper went Psycho Blocking dozens of attempts of Trojan installations.

I thought it most important to point this out, as anyone could hit this site thinking it would give some reviews, if they are looking for such This has got to be one of the worst Phishing sites around, Unprotected users could have a real mess on their hands if they hit this Site

 

LOL. Posting this here is the same as to put a sign on a button that says "DO NOT PUSH THE BUTTON!"I must try it to see how a restricted account handles this

 

Go on then sukarof, I'll see you in a week or so after your computer melts

 

I ran this test on Vista32. UAC on. Mamutu running in the background. I ran IE7 and Firefox in sandboxie.

Assuming I was on the right site, here is my findings.

First I took IE7 for the ride. I got to the page where it warns me that the page can not be viewed without the windows media plugin. I choose cancel but then it gives the popups again. So I clicked ok. IE7 asks me if I want to download "Setup.exe" I download it.
But nothing else happens.
Nothing executes. no new processes are started (unless it is a very stealth rootkit that doesnt show the process in Processexplorer and that eleveates priviliges without the UAC prompt so the Setup.exe can execute.
No network activity (of course, since no process were started that could initiate it)
I guess you have to run the steup.exe manually to infect your computer?
Did you run IE6 or earlier or another browser? I mean since it executed the setup.exe without your consent?
When I close IE7 it gives me a prompt saying "Watch the full movie" and opens up a window to some porn site.

Then I tried it with Firefox and noscript plugin. I just see the movie window. Nothing els happens. If I click on the movie windows then the setup.exe is downloaded to my hard drive. But nothing more. I tell noscript to allow scripts to run, then I get the same messages as in IE7. Once again I chose to download the setup.exe, but after that nothing more happens.
I then close Firefox. And thats it.

I then did a online scan with the real Kaspersky. I chose the option to scan critical areas. After the very long scan it showed nothing. I then told Kaspersky to scan the sandboxed folder where the setup.exe files where. Still nothing.
After that I did upload the setup.exe to Jottis and virus total. Some AV´s found malware some didnt. Maybe I was on the wrong site?

~Screenshots removed per Policy. - Ron~

 

I ran the setup.exe in a sandbox. It wanted to install a "Multimedia Software" and tried to connect to 85.255.119.242 TCP Port 80

I didnt allow the connection then the installer said it couldnt connect and terminated the install.

 

Anyone actually contacted anyone behind that domain? Just in case it is something they did not do themselves.. ? At least the Whois info smells legit http://whois.domaintools.com/pandacomputer.com

 

Hi

Tried the OP search query and can't see any site/links that resemble what is described

 

I´ve sent them an email that their site might been compromized. With the link you get on the search page you get redirected to a site (in Africa) which tells me that it has found spyware on my computer and pops up a window that wants you to install "AntivirusProInstaller_126.exe"

Now this redirection only happens if I am on "medium high security" in the options for IE7. If I put it on High then it loads the actual adress (which seems to be some sort of advertising site) that might be some sort of scam too
Intrestengly the path says: http://............./online/images/pics/l.....html
But it isnt pics, it´s .html files. I am no expert but it seems like tha bad guys put the .html files into pandacomputer´s.. image folder. There are hundreds of .htlm files named with random letters in that pics folder and all of them are some sort of adverts for stuff. All the links in those pages seems to go to some other of the .htlm files in that folder. Which is kind of strange.

 

I´ve PM´d you with the link if you want to look at it your self.

 

Got it. Thanks.

 

I have had this IP range blocked by my firewall ever since it was mentioned on this thread:

https://www.wilderssecurity.com/showthread.php?t=136452&highlight=gromozon

exerpts from this thread:

https://www.wilderssecurity.com/search.php?searchid=2059857

 

Yep, they're known bogus IPs used to host malware.

@sukarof,
Submit that setup.exe to ThreatExpert if you want to see what it does.

 

Thanks for the link Lucas1985. I have now restored back to a clean snapshot and deleted the one I did the tests on.
But I will keep the link, I didnt know about that one.

 

If you want to grab that sample again, reset your modem/router to get a new IP. Usually, the malware sample doesn't get delivered twice to the same PC (to thwart researching)

 

It's a wordpress Blog page

I cant find any links to executables on this page all are .html + about a few .jpg

I have extracted the primary script...

 

Thank you for the site name. I added it to the Web Security Guard data base as a malware website.

 

Does NOD's IMON module block these sites automatically I wonder?
I'm behind a router (with firewall) and WinXP firewall. Can these sites be added to WinXP firewall as well?

 

Mine did not react to this site at all...
Your firewall cant do anything about cross server scripts or about browser based exploits... Yer on yer own!

 

Hi Hermes, what do you mean by 'Mine did no react to this site at all'?
I use the NoScript plugin in FF, that provides some protection against CSS, right?
What can you suggest as a complementary means of protection against this kind of thing?

 

Hello Stijnson,

NOD32 v.3.0 is my AV and it did not "React" to the content of this site...

Well, Firefox w/NoScript is a good start (Probably the Only Truly effective defense actually), you could use Linkscanner Pro as it would do a pre emptive scan of the url's content and potentially block the hack. I say potentially as I see it fail to detect or block over 60 % of the hostile sites I visit on purpose. (I scan every one of them first using the latest linkscanner Pro) This product would benefit greatly if it had a means for users to report hostiles.

The same could be said of McAfee site advisor, except users in this case at the very least get an opportunity to "Mark" the site and post a warning for others. However as a preemptive mechanism it is not so effective. (Meaning it only detects and block few of the hostiles)

Another "potential" tool to use against these (as manual Pre scan before/after going to the site) is Browser defender or Dr Web URL Scan... I see them both as weak and relatively useless for my own use as one is under development and the other never did impress me much with it's detection.

 

Thanks Hermes.

It's a pity that NOD didn't react to that site. I always thought (and hoped) that IMON (in 2.7) would prevent users from opening/surfing to these kinds of sites. I don't know how the IMON module has been integrated in v3.0 though.

Perhaps I'll try out Linkscanner. NoScript has proven to be quite useful so I'll definitely stick to that.

 

I don't know if you realize this but your Avatar is probably forcing a rush for prozac with many of the peeps here! Ha ha!

As for NoScript... well yes it does work but the only way of knowing what is going on "in the scripts" located on the site is to "Pre View" them in Firebug...

That way you can "Block" the scripts but you are still able to "View" it's content.. Very powerful research tool as you can study it's structure and understand what the SOB's are trying to do to you...

Here is where you can get Firebug!

Have Fun!

 

They can all calm down...it's a very slow loading virus

Thanks for the tip on Firebug! I don't know a lot about code myself, but it's interesting enough to take a look at. Perhaps I'll learn something along the way.