Discussion in 'malware problems & news' started by m00nbl00d, Jan 19, 2011.
Oh yeah, I almost forgot... here is the Anubis Analysis Report for malwarebytes.software-2011.net.
Yea what a shame it would be waiting all those hours and then forget to post the analysis Thanks!
But not much in the way of feed back is forthcoming from them, is it?
Perhaps this is simply one case out of a great many, and it's really no big deal.
There are a "few" (Just a nice word, isn't it? ) more cases, just like using avast! brand, etc.
These folks really are into it. All paths will lead to Rome -freedownloadzone.com and -securecardtransaction.com
It's interesting, and I'll be going just a bit off-topic, but just trying to make my point seen the best way possible.
Companies like record companies, etc are trying, and achieving I'd say, at least here in European Union, to force ISPs into spying their costumers and break/slow down their Internet speed due to illegal downloads.
If they can force ISPs into this, why don't governments force ISPs not to host these kind of crap phishing services, malware hosting domains, etc? If they do, punish them severely. If a country's ISP outside European Union, U.S and others, is hosting this kind of scam, then FORCE that country's government to take an action with the threat of closing market with them. Simple.
Some people would be surprised by the amount of hosted proof domains. Why doesn't anyone do a thing about it, in the first place? Not in their best interest? This makes me wonder, honestly.
The more I dig and the more I try/or understand, that's the conclusion I take. Anyone else is free to take theirs.
But, aren't you all just tired of this crap? I'm 99% confident that, if it weren't for me, some of my relatives would fall for this crap, because they simply do not know any better.
Unfortunately, not everyone has someone like "me" in the family, do they? No, and what happens? They'll fall for these scams. ;(
The problem is not being just ONE phishing scam, the problem is that there are so many, and it shows one thing: People fall for them, otherwise they wouldn't keep making these schemes to trick people.
The other problem is that there seems to be little interest into ending with such schemes.
Threaten the source: ISPs. (As I previously mentioned.)
I didn't get a chance to read this whole thread, but, as I am sure you are already aware -- THIS IS A SCAM.
Yes, it's a scam. Yes, we do know. Yes, most of us - here, at Wilders - would investigate it further, if facing such a situation.
But, what about the rest? What about someone looking to buy Malwarebytes, because they heard about it now or sometime ago, and would face with such a scam, without knowing it's a scam?
Please, note that I'm not targeting Malwarebytes here; this is just one SMALL example. The scenario is way worst than this.
But, I'm wondering if there aren't any legal procedures the antimalware industry, perhaps in coordination with governments, could take to force ISPs to end with such scams? After all, those fake services are using your brands.
After all, if other type of companies (like record companies) can force ISPs to do things, I want to believe they would feel compelled to bring these services down as well. This is a way more serious problem than downloading illegal stuff. Yeah, unfortunately, end-users don't have the POWER one of those big record companies have.
There's no real point to try to bring down just one service; one other will appear in its place, that's for sure. It needs to go beyond that, at the ISP level.
Acording to WOT. Bad reputation. Both web pages.
"Used for the distribution of "rogue" security or other such applications."
So, don't use the links.
I hope not to sound rude, but I don't see what that really matters?
First, everyone has to be aware of such scams; which is not a real scenario. And, by not being a real scenario, how would most people know they should avoid such links? Please, not that not everyone is aware of applications like WOT, that rate websites. And even the people behind such security services, need to be aware of such scam services. So, these applications, for how hard work the people behind them have, they'll always be way behind the bad people.
I do applaud the work and effort these people put in their work, but the reality is that the schemes exist and prevail and many people are falling to such scams.
Sorry if I sound like a broken record, but the solution is not security applications. The solution, when awareness/education lacks, is to fight these scams at the ISP level.
As I already mentioned, I know better - I found it suspicious - and I wasn't even looking into buying Malwarebytes Anti-Malware. I was just doing some research.
I'm sure you wouldn't fall for it. The same way I'm 99,99% confident some people I know would, if they wouldn't ask me first about it.
This one really is a great laugh!!!
avast! time -avast.software-2011.net
Now, it seems that it was avast!... wait a moment... AVAST 2011... is the original antimalware application to include LinkScanner. AVG stole it, I guess.
LinkScanner is real, and so was Exploit Prevention Labs, which was bought by AVG.
Damn AVG, stealing others ideas and concepts! Shame on you!
I guess it would be confusing to name it AVG 2011, considering the real one is AVG 2011.
The list goes on. I didn't check all security vendors, but my very wild guess is that, at least, the well known ones are being stolen their brands to trick people.
The site should now be terminated.
Yes, the domain software-2011.net no longer resolves.
Wtg, m00nbl00d. It was your "investigative reporting" that resulted in the death of that PITA site.
Unfortunately, there are so many out there.
I wonder why the domain -secure.cardtransaction.com could not be taken down?
Legal issues? This phishing domain alone is interconnected with so many other websites serving as decoy for their phishing activity.
Thank you for your contributions -- to my knowledge Steven from Malwarebytes had the domain taken down. If you ever see another one, do not hesitate to contact us and we will do anything we can to get it taken down.
Would you like to bite a bit more?
I was... well... once more researching some stuff, and was like: What the heck, let me "mistakenly" type malwarebites instead of malwarebytes.
Note: By the way, I use -https://eu.ixquick.com as my search engine.
As one of the displayed sponsored ads, there was something for Malwarebites.
OK. Could it be just a typo? We're all humans, why not? Right? OK. Then again, this is a sponsored ad; is this really just a typo or something more?
Proceeding, and all I've done was to investigate URLs and what they actually contain; basically I dissected them.
As I previously mentioned, I don't have any working virtual machines, so I couldn't download the executable and see what would come up.
By first verifying the domain against any known blacklists, this is what I came up with: -http://www.urlvoid.com/scan/anti-malware-2011.com
Only TrendMicro Web Reputation flags it so far. Well, further research ahead, seemed to be the best bet to see if it was something malicious.
After I started to analyze the website source code, I got this URL, which I analyzed with Wepawet.
It labels it as being suspicious. OK, this was enough to make me go ahead, plus the source coming from a sponsored ad made it be 2* suspicious for me.
OK. Time to analyze the other URL in the section Additional (potential) malware:, which brought this up.
Again suspicious! More wish to go ahead! This lead me then to Anubis report.
Considering I cannot testify whether or not this is in fact a rogue pretending to be Malwarebytes, would someone be capable of doing it? I do find the fact the name Malwarebites is used, somewhat points in that direction, though.
Thanks a lot, and sorry for this sort of testament!
Re: Would you like to bite a bit more?
I tried it out in my Win7x64 vm, the results of which are in the screenshots... It installed okay but it won't run in a vm, could this mean it's vm-aware malware? Note the Verified Publisher (signed using authenticode, so it is trusted by local computer) UAC prompt.
Researching for SecureSoft + antimalware pro 04, I came to this old COMODO forum thread: -http://forums.comodo.com/news-announcements-feedback-cis/another-bypass-t66490.0.html
Have you uploaded it to VirusTotal? I "uploaded" the URL and only 3 detect something. I wonder how many do detect the installer?
Searching for the executable brings this:
-http://forums.malwarebytes.org/index.php?showtopic=45833 (someone who needed to clean the system. )
Did not upload it, but MBAM detects the installer as a rogue. Pretty clever with its eula and UAC verified publisher prompt it generates. I did not notice any grammar or syntax errors either when installing it, although I didn't check too thoroughly.
Yeah... But, take a close look at both the UAC alert and at the EULA. You'll find something that would indicate something would be most definitely wrong, IMO.
UAC alerts show as Publisher SecureSoft, but in the EULA it's mentioned Gisnet Corp.
I don't believe it's normal for a publisher to be one, and then in EULA a different name is given for the company.
Yes, I saw that difference and thought it odd, but I doubt the average person "willing" to install this stuff would notice, because very few read the eula. I couldn't find any info on Gisnet that's antivirus-related.
Yes, indeed... the mister and miss "happy clickers".
In spite of the clever "marketing" schemes these rogue producers employ, I still can't help but feel they're not at all a threat if one uses even a modicum of common sense when seeking an anti-malware product; visit and download the products from legit websites such as Symantec.com or McAfee.com, don't take the bait when it suddenly appears uninitiated on the screen and starts scanning on its own, seek advice from computer-savvy family members or friends...etc. it's incredible that so many, it seems, are getting duped by these scams, but I guess the odds are still in the favor of the scammers because through the Internet it's so incredibly easy to target thousands of people in a very short time, and out of those thousands if they can scam a hundred people (a very small percentage of the target base), they're making pretty good coin.
Separate names with a comma.