Author Topic: Fake Av "Fake Scanner  (Read 7649 times)

0 Members and 1 Guest are viewing this topic.

April 19, 2011, 08:22:39 pm
Read 7649 times

IDENEB1

  • Newbie

  • Offline
  • *

  • 1
A fake Av downloader Scanner Site

Code: [Select]
http://mri-antivirus.ce.ms/fast-scan/
MysteryFCM: URL wrapped in code tags

April 20, 2011, 03:04:52 am
Reply #1

lelenina

  • Sr. Member

  • Offline
  • ****

  • 239
Code: [Select]
http://mc-antivirus.ce.ms/fast-scan/

May 20, 2011, 01:07:59 am
Reply #2

SHAGGIE

  • Newbie

  • Offline
  • *

  • 2
I came across this looking for google/Images:

( hozelgen.ce.ms )

(Full Link upon request by admin. Sorry I was being careful)

Domain of infection:
http://hozelgen.ce.ms/index.php?Q2PhHtRybTBGMnrVM+tNsStmB3e7mWPwrfL++hAX57iCFCA5iL8+KgPj4ozs/Vjes4+luy68ERoyu5ymps7Mi1rxO2iMmuAWP19RAgyw6f4=

File name: InstallSecurityCenter_***.exe
Submission date: 2011-05-20 01:01:37 (UTC)
Current status: finished
Result: 6/ 40 (15.0%
MD5   : 8b78093a2cfbf06d69e30788db65ea8f

NOTES:
*Virustotal has this file.
*Each download is renamed to a different last number of file.
*Poses as Chrome Security message box appears to inform user that a security scan has found malware on the system.
*Drive-By Downloads.

Reported to:
Google malware report
MalwareDomainLists/forums
BadwareBusters

**UPDATE: Site has been added to Google Chrome Malicious URL Database

May 20, 2011, 01:34:51 am
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Do you have the full URL please?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2011, 03:26:21 am
Reply #4

michajp

  • Full Member

  • Offline
  • ***

  • 59
Actually ,... these change on a quite rapid basis (at least each 10 minutes).
Here another sample:

Code: [Select]
hxxp://sastole.ce.ms/index.php?QxfhCNQgbVdGR3r4M0xNXiuPBcW7kGOUrZ/+gBBY53iCuiCiiA0+LQMO4h3saFhTs/ul4C6ZEZQxoZxrpQ3KDFWGO1+MpeDoP09R9Qxf6dc

May 20, 2011, 04:25:35 am
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Yep, been noticing that too :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2011, 05:04:23 am
Reply #6

SHAGGIE

  • Newbie

  • Offline
  • *

  • 2
Actually ,... these change on a quite rapid basis (at least each 10 minutes).
Here another sample:

Code: [Select]
hxxp://sastole.ce.ms/index.php?QxfhCNQgbVdGR3r4M0xNXiuPBcW7kGOUrZ/+gBBY53iCuiCiiA0+LQMO4h3saFhTs/ul4C6ZEZQxoZxrpQ3KDFWGO1+MpeDoP09R9Qxf6dc

I was just registering and posting one for which was not detected at the time for being a malicious url.
I too have noticed several of the .ce.ms websites infected that have been reported and in the notification of hosting malware.

May 20, 2011, 05:22:34 am
Reply #7

michajp

  • Full Member

  • Offline
  • ***

  • 59
Captured these since my last post:
Code: [Select]
hxxp://monn.ce.ms/index.php?Q8PhYNQHbWNG73pCMypNaStyBRG7E2OCrd3+yRD250iCCSBpiPY+ZQMI4gjstFjcs8Wlyi6tEVQxjpxHqBPD/FOaOziMGeB8P/pRPgzB6Wc=
hxxp://monn.ce.ms/index.php?Q8Lh29QRbZRGznrxM2pNByvrBQy7UmOLrXT+shBT54mCBSDriMo+pwNy4mjszFiGs02ldy78EXMxKZ/epHrMWVrHO2aMC+AgPylRcAxP6S4=
hxxp://monn.ce.ms/index.php?Qyzh39T4bWFGuXpPM6xNDCtiBUq7oWPPrXT+qRC8586CoiAJiL4+twMH4qjsEFhKs+KluC4EEYIxdZ4topHLFFI5O7uMoOBUP3NREwwV6d4=
hxxp://mohlo.ce.ms/index.php?Q7HhadQMbfZG9Hr2MylNiStfBQq7uWM9rYX+RhAJ59uCDyDbiEQ+rAMy4jjsKFjcs7WlNi4tEb4xU57ap53CUFo2O8OMHuCJP8FRxQxX6Sk=
hxxp://ekker.ce.ms/index.php?Q/Dhd9TAbRRGSXorM81NrCsxBVm7EWPMrWL+dxBl5/GCQCDMiBs+gQPR4j3sE1ibswClry7zEYsxKJkqo9vCtVpsO8mMn+DTP4JRIQz46Zo=
hxxp://logosso.ce.ms/index.php?Q4XhW9TfbbhGo3q4M9VNpCsbBYe7LGOrrfP+hxBE56OCUSD5iHE+vANR4iPsv1jVs/Clxy4FETwxBZlXqZXCP1XfO4aMjuCNP0FRGAw26WU=
hxxp://logosso.ce.ms/index.php?Q1Dh/dQAbYdGiHqNM91NJivFBTy782ObrY7+yRDH50KCwiAFiFA+8QNC4qzsgFg4s52lYi7YEXkxZJhEpbbCAVU0O5WM8eC6P1hR0wzF6RQ=
hxxp://mcetomoe.ce.ms/index.php?QxPh4tTdbbdGbXovMxxNCytdBfm7nWP6rTb+BhC/5+SC8SBJiOw+VQMX4vzs91ggs2WlUC4SEQMxmZtYoQ7COFoOOw6MieAWP09RWQxW6aE=
hxxp://mcetomoe.ce.ms/index.php?QwjhatT/betG53pjMz1NxyvxBYu7gGMqrcL+JRCp55GCoiBRiA0+zQMq4rXsVliEs5ildy4iEZoxbJtAp1PCIFqfO2OMzeAAP5xRfAyQ6UQ=
hxxp://londs.ce.ms/index.php?Q5vhTtQ+bQdGx3q0M6tNUyu2BVG7e2NSrZP+UxCL53uC6iCgiO8+/wNH4pvspFjqs/el9S4GEYAxaZqlo97CUVUGOzyMgODrP6hROAxL6Xk=
hxxp://folkerson.ce.ms/index.php?Q5fh7dSKbTNGh3qPM3FN+SvOBWS79GO7rfH+kBBW59GC7iDJiHM+CgPy4jrsz1jvszOl8S4XETkxrZrEqTjCiVqEO6GMneA2P05Riwxo6Rc=

Even if one goes for blacklisting these domains wild-carded, their lifetime won't exceed one hour, I guess. Quite a mess - and, it's going on like that since weeks :-/

May 20, 2011, 07:09:19 am
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Cheers :)

/edit

These are all currently still active, so have been added.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2011, 10:12:04 am
Reply #9

michajp

  • Full Member

  • Offline
  • ***

  • 59
Uhhm, some more ...

Code: [Select]
hxxp://folkerson.ce.ms/index.php?Q+XhVdSCbRZG8nonM9tN2CuDBci71GOwrXT+exAC51GC5iBZiNA+dANC4uLsK1gJswelmy49EZkxM5VjpavCjVXEOweM5eDFPzxRzQy66fs=
hxxp://deceloce.ce.ms/index.php?Q+vhGdT8bVlGb3pLM5xNoCvxBWG7AGP6rRD+4xD053eCZiC7iKM+LwN/4lnsR1gws1Klni4LEZ8xk5QPoUzCK1pVO2CMVOA/P7VRNwzH6aw=
hxxp://crong.ce.ms/index.php?Q5LhrtRWbRBGznrZMzdNVCswBWm7FmMbrQf+GhDW59eCqCCLiDU+oANG4lDsfFids3ilDS7REaYxS5RAp3rCaFrDO6CMXeAkPxpRiQwd6QE=
hxxp://stoers.ce.ms/index.php?Q/zhDdTKbYJGYXorM3pNxSvjBVK7X2PWrUb+ChC85ymChyDViGk+FgPk4u3shVgBs6ylVC6xEVgwkZ3lozbCIFUHO+uMkuASP2xRmwyA6Wo=
hxxp://stoers.ce.ms/index.php?Q8Hh4dSQbcFGwXohM3BNSStQBeq7amOerTD+xBCl5wyCkSAdiL8+dwMe4hHs21gRs0Slly4AEfcwLJ0VqY/CWFXKO02MX+A+P/RRywwg6XM=
hxxp://saetto.ce.ms/index.php?Q7bhidTXbThGwXpLM91NvyvZBS67ZWMVrfz+mBBn50aC6CCjiI0+MQN34gPsolixs02lNy59Eckw95zGp//KMFViO6SMDOBWP3FRngxB6Xc=
hxxp://saetto.ce.ms/index.php?Q5/hV9Q0bZJGinr/M7JN3SsxBcO7Q2NvrUD+/BDM5/+CLSBZiP8+kAOw4srsWFjps8ilvC7NER0w8Z/aoy7KJVVcOzaMgeBlP1dRPgxX6U0=
hxxp://pres.ce.ms/index.php?Q9XhwNSybaFG6HrlM8pNgSsgBVW7hWNQrVz+lBDp5xGCFiDIiKM++wN64iTsgFj6s7ylmC64EUMwd58wqXTKkVoFOwKMZuCIP3FRvwxd6Z8=
hxxp://hgegeermon.ce.ms/index.php?Qx3hDtT/bf1GkXq7MwtNtys8BZC7d2NArQf+mBDg51yCkiACiGo+hwNf4ijsu1jusxqlzi4qEaowp576pVbKCVo1O2SM0uCxP2FRKgxQ6ao=
hxxp://woznocko.ce.ms/index.php?Q/Th3dSSbbNGBXrXM8ZNnytmBcW7qGM4rdL+/hCy5/mCeSCziDc+8QOn4h/swVjIsx6l0y5lERkwWZm6oY/K4FWqO0qMZeBSP3tRrgxm6ds=
hxxp://woznocko.ce.ms/index.php?QzXhVtSRbV9GX3o6M0NNqSsLBTS7S2OLrYn+YhDQ552CvSDHiMY+CQON4tvsKFj5s22ldi4KEdAwBZlTp5LKj1XUO0+MOuCOPxhRegwP6R4=
hxxp://sgete.ce.ms/index.php?Q5jhBdRvbeRGJnpKMyBNUSukBYC7GWPHrXv+OBA153iCjSAaiC8+8APg4q3sf1g7s8SldC6CESEwK5g5o+bKHlVzOyWMIuCcP/dREQya6YA=
hxxp://prochokmo.ce.ms/index.php?Q5Dha9S+bcxGFnrAMztN1Sv5BZi72mOxrbX+ABCY5+6C0SAoiBY+3QNv4rfsXlifsw2lVS45EfAwUpiMqSLKf1XKO7CMfeBnP+BR8gxd6eE=
hxxp://prochokmo.ce.ms/index.php?Q67hl9QRbUZGZno9M5pNkiv0BXC73mMyrRT+zBCq5yGCTiDBiIA+qQNc4tjsXVgesxWl6i6FEQcw05tpohXMNFoNO0SMq+AePxpRwAzU6cU=
hxxp://prochokmo.ce.ms/index.php?Q23hDtRRbbtGt3rVM7lNwStLBam7jGOjrar+pRBU5xyC2SAQiEM+KwP/4qLsYliks1elgC4mEQ4wo5v3qD7MhFUwO3qMGeBNP0lRTwxb6a0=
hxxp://monnoer.ce.ms/index.php?QxPhddTHbTdGTnoxM2xNdyvzBa+7WmNprQ/+PRA/55KC1CAwiL8+KgNk4uDs71j3s5el4y5fEZUwJpprpHzMhFqtOxaMiuCWPzlR7QxK6SY=
hxxp://kgecez.ce.ms/index.php?Q8Xh8tRKbRxGI3oZMzFNUys8BT+78mP0rfv+fBDg5xOCxCBUiBI+1APR4vrsIVjIs+6lzy6DER4ww5UuoB3MPVXsO4WMbOA6P+dR2gw66Sg=
hxxp://kgecez.ce.ms/index.php?QyXhk9SIbbNGUHonM9FNdysrBXO7imP+rdz+NRCz53SCSyCWiIs+HgOs4kTsnljps02lYS40EQcwzJVmpnzMpFUEO+SMIeBjP11R/Ay+6aE=
hxxp://kgecez.ce.ms/index.php?Q2zhpNSRbflGY3qaMzpNcyskBX+7tGMOrQL+nBBU55iCzSDwiA8+bgOv4pfsMVhvs3OluC6UEVcw6JR+oqDMyVUWOxGMluAEP+tRXAzA6SQ=
hxxp://kgecez.ce.ms/index.php?Q/bhA9SubQRGrHoLM2dNICvzBce71mOurcf+UBDm55qCdCC7iP4+vQON4gvspVjhs7KleC6FEWIw3JTmqMvMZ1UUO5qMXeC+P99RNgzH6Ys=
hxxp://kgecez.ce.ms/index.php?Q+DhIdSRbWJGs3rrM/pNkiuoBem7WWNKrX/+RRAV59uC5yBaiDk+UAMM4vbsa1h8symlIi7KEeg/X53spNDM6lrgO4CMCeCmP/VR/gxc6Ys=
hxxp://ezzo.ce.ms/index.php?Q9fhCNTlbT9Gq3p+M11NlStXBai7MmMrrbv+RxBN566CJSDfiLk+7gOO4jXssliCswClGy5BEWE/B5zEoDLMYlXhO/qMZ+CvPyBRyQxF6UI=
hxxp://tyger.ce.ms/index.php?Q1DhXtTwbYtGBXpIM21NzStxBYW7p2MLrZz+lRCm55KCcSDwiE0+SQND4vTsu1jyswql8y4TEUo/0ZxypjLMvFX9Ow6MceANPy5RIAxu6bY=
hxxp://tyger.ce.ms/index.php?Q4jhu9R0bbdG9noEM3hN5ytDBeS7YmMfrSz+iBBl58CCayCliC4+9wNH4mXsp1hIs3+lZC6DEf4/pZ/tonrMmFWVO8KMaeBpP5FRHAxZ6d0=
hxxp://tyger.ce.ms/index.php?Qz/hyNQ0bTBGdHrfM2lN4StbBbi7iWO7rRn+WhDk53GCxyA2iP4+wQPc4p/stli5s66lqy6xEZQ/8J+qqCTMhVWHOzCMg+CGP4hR9gzP6f4=
hxxp://khcelolo.ce.ms/index.php?Q+rhz9TMbS1GY3q6M2xNGysPBYi7HWMyrZf+yxDs5yWC9yBjiF4+CAP74hPsUFgOsyWlli7HEWA/N56JpNfMjFplO8mM7+DzPxNRjgyL6QQ=
hxxp://khcelolo.ce.ms/index.php?Q73hLtTHbeFGSXp9M15NYyveBRy7gGNyrVP+nxAk59aCFyAtiF8+1gMb4hDs2lj8s3ilzy4KEeg/8pm8oH7MAlXfOxWM0uCiPwhRdwyS6eI=
hxxp://khcelolo.ce.ms/index.php?Q/vhCtRDbTBGU3qHM65NJyscBee7LmOxrcb+IBD550iCfCA7iNE+pQO04t3stFi+s+Gl1i5pEew/uJnspnLMDlULO52MBuBhP1pRuAwR6W4=
hxxp://khcelolo.ce.ms/index.php?Q9vh/9RnbVFGYnrFMwNNnyvEBXa7KmO8rVr+2xDe5xWCcSC8iNU+zwM64m7sjlgSsx2l2S4lEQg/Y5gYo5LCilXqOxmMPeBzP5xROgyH6V8=
hxxp://hamshoofpti.ce.ms/index.php?Q6Xhh9RUbbdGvXqnM71NtSviBZ+762Pbrd3+bRDv57KCBCABiLI+SgOk4kjsV1gds0el4C6XEfo/UpjEqZDCqlV+Ow+MJ+AJP7RRqQyL6YI=

May 20, 2011, 11:39:45 am
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 22, 2011, 03:27:38 pm
Reply #11

john_

  • Jr. Member

  • Offline
  • **

  • 31
  • Personal Text
    In God we trust, all others we virus scan
    • Virus removal tools
All are down or at least so they appear to me. I'm always too late.

Anyway another one for you, this is alive and kicking :

Code: [Select]
http://ndidrsjt.cz.cc/fast-scan/
A real nasty piece of code their, if you analyze it closely...

May 22, 2011, 04:13:02 pm
Reply #12

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
That one's dead at present too.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 22, 2011, 07:13:34 pm
Reply #13

john_

  • Jr. Member

  • Offline
  • **

  • 31
  • Personal Text
    In God we trust, all others we virus scan
    • Virus removal tools
That one's dead at present too.

Just checked, it's ok.


May 22, 2011, 07:38:15 pm
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Wierd, it's failing resolution at this end :(, lemme try again.

/edit

It's resolving now (95.64.48.130), but still failing to load (checked via proxy too, trying alternates as I write this and will get it added in the meantime).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net