Malwarebytes Anti-Malware 2011 - New crap in the wild?

Discussion in 'malware problems & news' started by m00nbl00d, Jan 19, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    In a research I was doing, I came across this domain -malwarebytes.software-2011.net-

    Since I'm not able to play with virtual machines, I just took the liberty of entering the website; not worries, nothing could come through the web browser - nothing is able to start any download, period.

    I also checked url source code, and what called my attention - before entering the website - was the mention to "Malwarebytes Anti-Malware 2011" and not any known version to us, from the real Malwarebytes Anti-Malware.

    I did a search and nothing seems to come out, except for other dubious urls as well. I'm guessing this is something new?

    Here's a screenshot of the url

    LinkScanner also flagged this as being a bad domain -http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=malwarebytes.software-2011.net

    If someone wouldn't mind to check what the thing is all about o_O :D
     

    Attached Files:

  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    My LinkScanner says it's safe..
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That service doesn't verify URL contents in real-time; it gets the data from LinkScanner. It may have happened that nothing was wrong before o_O

    But, if you do check with http://linkscanner.explabs.com it will flag it.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The download link seems to redirect to here -https://secure.cardtransaction.com/icc-rs/order1.asp?ban=127&TargetSite=FDZ&dn=malwarebytes.software-2011.net&s=Malwarebytes

    That clearly is suspicious in the very least, because it should provide a link to both free and paid versions, no? That would be the proper thing to do. Something, IMO, definitely seems off.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hey m00nbl00d, I submitted the url to Anubis, and it will do real-time analysis, but I can't believe the queue... 128 jobs ahead of me and a 17 hour wait! Whoa. Maybe it will go faster than that. If/when something turns up, I'll post back. :)
     

    Attached Files:

  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. I actually forgot all about Anubis, but I must confess the waiting times sometimes are boring. lol

    A little update. The domain -secure.cardtransaction.com is flagged http://www.urlvoid.com/scan/secure.cardtransaction.com

    This all sounds just like a damn phishing scam. People pay for something believing it's Malwarebytes Anti-Malware and end up either with nothing... or maybe with "a lot".
     
  7. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Without having looked at it closer my guess is that this is a referrer promotion. If you look at the part dn=malwarebytes.software-2011.net in the above URL that is the referrer string, meaning the people behind the site get paid whenever someone buys Malwarebytes after clicking their link. As to whether you actually get a license when buying through this site is anyones guess.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Time Remaining: 15 hours, 49 minutes and 54 seconds (119 jobs in queue) :doubt:
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What you say makes sense, but what seems off are the name "Malwarebytes Anti-Malware 2011", when there is no such version, at all, as there never was a version 2010, etc., and the fact that the domain -secure.cardtransaction.com seems to be involved in phishing.

    A bit more on this service:

    -http://hphosts.blogspot.com/2009/11/if-ya-want-my-money-ya-think-im.html

    This all looks like one big scam, IMO.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You should get yourself a decent cup of coffee. :D
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I just PMd RubbeR DuckY and nosirrah and asked them to take a look at this thread... hopefully they can shed some light. :)
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Look what happens when I try to go to the malwarebytes.software-2011.net site, m00nbl00d...
     

    Attached Files:

  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It figures!

    One more thing that REALLY makes this all thing seem off... better yet 100% off is that at http://www.malwarebytes.org/ there is no mention of whatsoever to affiliations. I believe this is what would allow some third-party person to resell their product? If this was a real deal.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I told MBAM to ignore the IP block so I could visit the site.
    I went there, but I'll be honest, I don't have the nerve to download that file, even into Sandboxie. I'm chicken. Or, to put it another way, I don't have the skills to play with malware, nor the interest to learn. :cool:
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    As I mentioned, I can't play with virtual machines at the moment, because I'm lacking available hard disk for them, but as far as my little research allowed to go, you're led to an URL where you'll have to enter personal info like credit card number.

    Example:

    http://4.bp.blogspot.com/_gtpf1L0KR...om_-_secure.cardtransaction.com2_-_phishy.gif

    Only afterwards you'd be getting some file... whatever it would be... or nothing, at all.
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Just take a quick look at the icons on the IE browser tabs for the suspected rogue site and then the legit MBAM site.
    mbam logo with rogue.jpg
    They didn't do a very good job of copying it, did they?
    Also note the difference in MalwareBytes versus Malwarebytes.
     
  17. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
  18. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    This really looks legitimate :rolleyes:

    [​IMG]
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It does, doesn't it? ;) So does -freedownloadzone.com :D

    -http://hosts-file.net/?s=freedownloadzone.com

    The sad thing is, wouldn't it look legitimate to many people o_O This is the reason why phishing keeps existing - it works.

    Let's face it, they even placed the real UI in the banner/top part of the website.
     
  21. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Look even closer on the front page at the bottom and the following is disclosed.

    yyyy.jpg
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What are you saying with that? That this is a legitimate business? The download link will take to -secure.cardtransaction.com , which apparently is involved in phishing activities, and in the image provided by stackz, you'll see they mention they're affiliated with -freedownloadzone.com , which is also involved in phishing activities.

    Not to mention what they offer has extra stuff, when applying to buy this suppose Malwarebytes Anti-Malware 2011.

    Or, did I misinterpret you?

    -edit-

    OK. I do think I misinterpreted you. For other businesses to be able to resell your product, they MUST be your affiliates. They state they aren't, but they are reselling this suppose Malwarebytes Anti-Malware 2011 product. This clearly invokes for a suspicion.

    I'm guessing that's what you meant? Or, again, misinterpreting you? :D
     
  23. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    This usually happens if you do not use the captcha screen at the bottom:

    Get a priority boost

    Enter the code that you see in the image on the left and your submission will be analyzed before all automatic submissions.

    Al
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Thanks Al. I knew something must be wrong with that sort of wait time! :)
     
  25. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Unless the nice folks at MBAM were not aware, they now are.

    @ Mods, Please de-link any URL's pointing to this site while this is being investigated.

    Thanks.
     
Loading...
Thread Status:
Not open for further replies.