WARNING: Malware, scams and RedStation ....

[MysteryFCM]

WARNING: Malware, scams and RedStation (AS35662, 81.94.192.0/20)

Remember the SMS fraud housed on the RapidSwitch range? Well, now we've got yet another network involved.

This time, it's the turn of RedStation, AS35662. I've already dropped them an e-mail, but the notice on their contact page suggests this is going to have been a completely pointless exercise.

http://hphosts.blogspot.com/2010/05/warning-malware-scams-and-redstation.html

[SysAdMini]

Someone reported similar sites.

Rogue Malwarebytes websites

Code: [Select]

http://malwarebytes-2010.com
http://malwarre.2010-fr.net/
http://malwarebytes-2010fr.com/

the person who reported those sites claims that those sites direct
to download pages here:

Code: [Select]

http://www.allbrowsers.net/fr/install_malware.exe?a=
http://www.uenti.net/fr/install_malware_2.exe?a=
http://www.allbrowsers.net/fr/install_malwarre2010.exe?a=

I wasn't able to confirm this. Maybe download works for specific countries only.

[MysteryFCM]

I've already had uenti.net taken down (was housed by Leaseweb), so that one should no longer work. The others still work though.

/edit

Interesting ... the allbrowsers.net "Malwarebytes" download URLs aren't working anymore

[MysteryFCM]

Haven't looked at the file yet (too tired), but this one is still live;

Code: [Select]

http://www.allbrowsers.net/fr/exe/mbam-setup.exe
File is > 4MB. Properties suggest it's actually a non-modified installer for MBAM v1.44.

Source codes for all of the sites referenced in the blog, is attached in case they go down.

/edit

Struckout the above as I've just noticed I'm a little late in discovering the MBAM setup file.

[CkreM]

the file MD5 is :e6111e6d0b99286f99c35b09835db9ba
which is   Malwarebytes Anti-Malware 1.44
http://www.filehippo.com/download_malwarebytes_anti_malware/tech/6839/
http://www.techpowerup.com/downloads/1733/Malwarebytes_Anti-Malware_1.44.html
http://www.acmefiles.com/download/malwarebytesantimalware/1.44

[MysteryFCM]

Yep, they are/were using it as part of an SMS fraud (kudos to S!RI

[MysteryFCM]

http://hphosts.blogspot.com/2010/06/update-malware-scams-and-redstation.html

[MysteryFCM]

http://hphosts.blogspot.com/2010/06/update-2-malware-scams-and-redstation.html

[MysteryFCM]

Update 3: Malware, scams and RedStation (AS35662, 81.94.192.0/20)
http://hphosts.blogspot.com/2010/06/update-3-malware-scams-and-redstation.html