Rogue ... antivirus 2009

Discussion in 'malware problems & news' started by Chuck57, Jul 31, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419

    I don't think this behaves like an AV. It only shows a "progress bar" and says it's scanning, but when you hit the button, it downloads a file. No actaul scanning.
    BTW, has anyone opened the executable that gets downloaded? I only get exes that won't open, they crash on execution. At first I thought it was my super restrictive sandboxie testbox settings, but I tried on a default settings sandbox and the exe still crashes...
    I'm about to run this thing unsandboxed....
     
    Last edited: Aug 8, 2008
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,243
    Location:
    Pennsylvania.
    Ummm that might be a dangerous. If you have a program that can give you a virtual partition try running it on that.
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Of course, Returnil is always enabled... But don't worry, I was half kidding...
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hey has any one checked the link.Its says Nod32 Free download 100 Webspaces.sorry No link its a direct to it.Warning Second page 7th link down.

    Just tested with spyware terminator Hips Warning pop up I blocked it.I then Tried again the Excutable it terminated automatically.Passed (Clean)
     

    Attached Files:

    Last edited: Aug 8, 2008
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I tested with Avira Free Not a word from the Guard,Heuristic set to high.:eek: I did Not Scan with Demand.Note I just uploaded files virus total all 36 scanners say Nada (clean)
     
    Last edited: Aug 8, 2008
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hey djohn, are able to execute the file that gets downloaded?
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I downloaded and it was running and updating in the tray.Today the fisrt time With UAC on this Time it prompt admin and password, I declined that and closed out that window. The second time with the UAC prompt it was allowed to execute with out the Ask of Admin or password it downloaded.Some confushion there,I have No clue what that was all about.
     
    Last edited: Aug 8, 2008
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Now I got a working exe. Finally.
    Testing it sandboxed. It flaggs firefox.exe as a Trojan and MBAM.exe as sypware LOL.
    Offer to buy "full protection" doesn't work, since SBIE forbids internet access. SBIE kicking some butts!
    Ok, I got bored with this. Time to terminate running process and delete sandbox.
    Maybe later I'll try it in a less restricted sandbox...
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    @ Hurst,I am curious though what Does this Rogue do what harmfull are in it or is just a seed so to speak to open the door for the worst to come.If it contains any real criiters why Do AV scanners get blind by it.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    This is because of the "onclick" parameter in the code:

    Code:
    <body onload="init();" onunload='return destroy();' 
    onclick="return SuggestDownload();" 
    
    The procedure used to be to use CRTL F4 to close the window, but I've seen some that won't even close at all - no matter what you do, you are in a continuous loop.

    This exploit is tame compared to some from a few years back. Here, you have a Download Prompt window.

    Back in 2006, for example, several exploits downloaded the malware in the background by remote code execution as soon as the person accessed the page.

    Today's exploits use an animated image to fake a scan in progress. That is an "improvement" on those from past years such as this one:

    regcleaner1.gif
    __________________________________________________________________

    Immediately a download began in the background, even if the user later clicked to close the page.

    Using screenshots that many have taken here is a good way to teach others about this type of exploit.

    I have a collection of different screenshots I show people. To some, I actually used my laptop to access the page to watch the attempted drive-by download being blocked.

    If you build up a collection of screenshots to show people how these various exploits work, this will reinforce just giving them a rule, Not to respond to anything on a web site that purports to inform you that your computer is infected, or _________________ (fill in the blank). This also covers banner ads which do the same thing.

    This can be a part of your training when you have a chance to work with people. In this way, they will avoid being fooled by these exploits.

    ----
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thanks ramus as always very informative.I did read about the Ctrl 4.I have to admit its very neat and clever how this exploits are done. I just wish I was that smart i would put to good use.When I first got my very own pc around 98/99 My nephew warned about porn site dangers.Well that was like putting a candy bar in front of me and tell me do not eat it.Off I went to the porn sites,talk about endless loop,I had so many popups windows open that when I closed one ten more opened.o_O lesson learned.
     
  12. wat0114

    wat0114 Guest

    As usual, nice post Rmus. Thanks for the info and advice. BTW, correct me if I'm wrong, but this exploit likely does not harm the pc, per say. Rather it is a type of extortionist program to fleece the misinformed of their hard earned cash?
     
  13. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Actually, you can download the freeware RogueRemover from here: http://www.malwarebytes.org/rogueremover.php This utility is very effective against 469 rogue applications. I am not sure though if it works against Antivirus 2009, but it should...!

    smitfraudfix found here is another possibility.
     
  14. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Why remove it is very colorfull and did you see the detection it found.:D
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    You are welcome. Yes, they are very clever. Well, there is a lot of money to be made from unsuspecting victims.

    I thought it is considered a money-stealing scam, but wasn't aware that it is an extortionist program. Do you mean in the sense of blackmail?

    No matter how persistent the prompts, the user can still just disconnect from the internet and close the browser to get rid of it.

    Unless you have something else in mind...

    As far as not harming the computer, there seem to be several variants of this exploit.
    Here, some changes are made to the computer:

    Antivirus 2009 Hijacks The Google Web Site
    http://www.bleepingcomputer.com/forums/topic154973.html


    ---
     
    Last edited: Aug 9, 2008
  16. wat0114

    wat0114 Guest

    Maybe a poor choice of wording on my part :) Your description is correct.

    Okay, so it could do some other harm as well. Thanks for the info!
     
  17. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I have read on another forum about a user who actually paid the "ransom". :ouch:
    Ended up with no improvement to the computer, the browser was still hijacked, the control panel still wouldn't open, a few other things not right, but the nag screen stopped.
    Doesn't sound like a very good deal.
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    It doesn't seems like this thing does any critic damage or downloads any more malware (altough I'll test it in a few hour, this time granting internet access)

    I noticed one thing: When I terminate the executable and after the sandbox gets deleted, that colorful tray icon was still there, until I placed the mouse over it. Then it dissapeared. It was like what happens sometimes when applications crash. Can anyone confirm this?
     
  19. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    I think this is a Vista issue or Windows in general.

    A lot of times -windows live messenger for example- I exit, I close it and the tray icon is still there. When I place the mouse over it, it is gone.
     
  20. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    This has been happening a lot to me since SP3 on legit apps most notable with instant messengers. Might just be the case for av2009 as well even if it has already been terminated.
     
  21. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Happens here on xp SP2 too. Maybe it's about slow computers.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Tried on XP SP2.

    It,s colorfull.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      114.7 KB
      Views:
      4
    • 2.jpg
      2.jpg
      File size:
      124.6 KB
      Views:
      1
    • 3.jpg
      3.jpg
      File size:
      120.2 KB
      Views:
      2
    • 4.jpg
      4.jpg
      File size:
      127.6 KB
      Views:
      1
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    CFP blocks its install as there is a rule to deny any execution from temp internet files.

    If I allow it, then there are too many pop ups.

    c0.jpg
    c1.jpg
    cccc.jpg
     
    Last edited: Aug 9, 2008
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Tried in GW. Installed fine. MBAM scan detected multiple infected items.

    Killed the isolated process via GW console and deleted its files manually via GW isolated file scanner.

    I run a scan of MBAM and it was clean.
     

    Attached Files:

    • g1.jpg
      g1.jpg
      File size:
      24.4 KB
      Views:
      484
    • GW.txt
      File size:
      8.7 KB
      Views:
      15
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    TF- no detection on behavior base( i did not used the blacklist).

    SBIE- no problems to delete it fully.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.