ATTENTION! Dangerous (BOGUS)AntiVirus Site

Discussion in 'other security issues & news' started by DVD+R, Feb 4, 2008.

Thread Status:
Not open for further replies.
  1. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Hello. Just an Alert I want to bring to Members Attention, and this may quite innocently happen to anyone looking for AntiVirus Reviews.

    Just a few moments ago I searched for "TOP RATED ANTIVIRUS" by using Windows Live Search, and a link to BEST RATED ANTIVIRUS SOFTWARE appears on one of the first links. This link has a preview stating Kaspersky Anti-Virus is the best, and a web address claiming to be pandacomputer, easily mistaken for pandasoftware (Panda AntiVirus) but its not!

    DO NOT UNDER ANY CIRCUMSTANCES ATTEMPT TO CLICK THIS LINK! This will tell you the page cannot be viewd without the windows media plugin. This is BULLSHIT! Immediately you will be swamped by Trojans galore trying if not succeeding in installing **** on your PC I clicked on it to look what it said, and :eek: :eek: Avira Security Suite and Spy Sweeper went Psycho :blink: Blocking dozens of attempts of Trojan installations.

    I thought it most important to point this out, as anyone could hit this site thinking it would give some reviews, if they are looking for such :ninja: This has got to be one of the worst Phishing sites around, Unprotected users could have a real mess on their hands if they hit this Site :eek:
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    LOL. Posting this here is the same as to put a sign on a button that says "DO NOT PUSH THE BUTTON!"I must try it to see how a restricted account handles this :ninja:
     
  3. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Go on then sukarof, I'll see you in a week or so after your computer melts :ninja:
     
  4. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I ran this test on Vista32. UAC on. Mamutu running in the background. I ran IE7 and Firefox in sandboxie.

    Assuming I was on the right site, here is my findings.

    First I took IE7 for the ride. I got to the page where it warns me that the page can not be viewed without the windows media plugin. I choose cancel but then it gives the popups again. So I clicked ok. IE7 asks me if I want to download "Setup.exe" I download it.
    But nothing else happens.
    Nothing executes. no new processes are started (unless it is a very stealth rootkit that doesnt show the process in Processexplorer and that eleveates priviliges without the UAC prompt so the Setup.exe can execute.
    No network activity (of course, since no process were started that could initiate it)
    I guess you have to run the steup.exe manually to infect your computer?
    Did you run IE6 or earlier or another browser? I mean since it executed the setup.exe without your consent?
    When I close IE7 it gives me a prompt saying "Watch the full movie" and opens up a window to some porn site.

    Then I tried it with Firefox and noscript plugin. I just see the movie window. Nothing els happens. If I click on the movie windows then the setup.exe is downloaded to my hard drive. But nothing more. I tell noscript to allow scripts to run, then I get the same messages as in IE7. Once again I chose to download the setup.exe, but after that nothing more happens.
    I then close Firefox. And thats it.

    I then did a online scan with the real Kaspersky. I chose the option to scan critical areas. After the very long scan it showed nothing. I then told Kaspersky to scan the sandboxed folder where the setup.exe files where. Still nothing.
    After that I did upload the setup.exe to Jottis and virus total. Some AV´s found malware some didnt. Maybe I was on the wrong site?

    ~Screenshots removed per Policy. - Ron~
     
    Last edited by a moderator: Feb 4, 2008
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I ran the setup.exe in a sandbox. It wanted to install a "Multimedia Software" and tried to connect to 85.255.119.242 TCP Port 80
    I didnt allow the connection then the installer said it couldnt connect and terminated the install.
     
  6. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
  7. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    Tried the OP search query and can't see any site/links that resemble what is described o_O
     
  8. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I´ve sent them an email that their site might been compromized. With the link you get on the search page you get redirected to a site (in Africa) which tells me that it has found spyware on my computer and pops up a window that wants you to install "AntivirusProInstaller_126.exe"

    Now this redirection only happens if I am on "medium high security" in the options for IE7. If I put it on High then it loads the actual adress (which seems to be some sort of advertising site) that might be some sort of scam too
    Intrestengly the path says: http://............./online/images/pics/l.....html
    But it isnt pics, it´s .html files. I am no expert but it seems like tha bad guys put the .html files into pandacomputer´s.. image folder. There are hundreds of .htlm files named with random letters in that pics folder and all of them are some sort of adverts for stuff. All the links in those pages seems to go to some other of the .htlm files in that folder. Which is kind of strange.
     
  9. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I´ve PM´d you with the link if you want to look at it your self.
     
  10. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Got it. Thanks.
     
  11. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  13. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for the link Lucas1985. I have now restored back to a clean snapshot and deleted the one I did the tests on.
    But I will keep the link, I didnt know about that one.
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    If you want to grab that sample again, reset your modem/router to get a new IP. Usually, the malware sample doesn't get delivered twice to the same PC (to thwart researching)
     
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    It's a wordpress Blog page

    I cant find any links to executables on this page all are .html + about a few .jpg

    I have extracted the primary script...
     
  16. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Thank you for the site name. I added it to the Web Security Guard data base as a malware website.
     
  17. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Does NOD's IMON module block these sites automatically I wonder?
    I'm behind a router (with firewall) and WinXP firewall. Can these sites be added to WinXP firewall as well?
     
    Last edited: Feb 5, 2008
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    Mine did not react to this site at all...
    Your firewall cant do anything about cross server scripts or about browser based exploits... Yer on yer own!
     
  19. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hi Hermes, what do you mean by 'Mine did no react to this site at all'?
    I use the NoScript plugin in FF, that provides some protection against CSS, right?
    What can you suggest as a complementary means of protection against this kind of thing?
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello Stijnson,

    NOD32 v.3.0 is my AV and it did not "React" to the content of this site...

    Well, Firefox w/NoScript is a good start (Probably the Only Truly effective defense actually), you could use Linkscanner Pro as it would do a pre emptive scan of the url's content and potentially block the hack. I say potentially as I see it fail to detect or block over 60 % of the hostile sites I visit on purpose. (I scan every one of them first using the latest linkscanner Pro) This product would benefit greatly if it had a means for users to report hostiles.

    The same could be said of McAfee site advisor, except users in this case at the very least get an opportunity to "Mark" the site and post a warning for others. However as a preemptive mechanism it is not so effective. (Meaning it only detects and block few of the hostiles)

    Another "potential" tool to use against these (as manual Pre scan before/after going to the site) is Browser defender or Dr Web URL Scan... I see them both as weak and relatively useless for my own use as one is under development and the other never did impress me much with it's detection.
     
    Last edited: Feb 5, 2008
  21. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks Hermes.

    It's a pity that NOD didn't react to that site. I always thought (and hoped) that IMON (in 2.7) would prevent users from opening/surfing to these kinds of sites. I don't know how the IMON module has been integrated in v3.0 though.

    Perhaps I'll try out Linkscanner. NoScript has proven to be quite useful so I'll definitely stick to that.:thumb:
     
  22. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    I don't know if you realize this but your Avatar is probably forcing a rush for prozac with many of the peeps here! Ha ha! :D

    As for NoScript... well yes it does work but the only way of knowing what is going on "in the scripts" located on the site is to "Pre View" them in Firebug...

    That way you can "Block" the scripts but you are still able to "View" it's content.. Very powerful research tool as you can study it's structure and understand what the SOB's are trying to do to you...

    Here is where you can get Firebug!

    Have Fun!
     
  23. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    They can all calm down...it's a very slow loading virus :D

    Thanks for the tip on Firebug! I don't know a lot about code myself, but it's interesting enough to take a look at. Perhaps I'll learn something along the way.;)
     
Loading...
Thread Status:
Not open for further replies.