Rogue - Fake AV

[Malware-Web-Threats]

64.146.2.92

Code: [Select]

hxxp://scanplus4.info/download/install.php
hxxp://newscan4.info/download/install.php
VirusTotal: TDSS - InternetAntivirus 5/40 (12.5%)

Second payload (Anubis)

Code: [Select]

hxxp://in4tk.com/download/file.exe
hxxp://in4tk.com/download/InternetAntivirusPro.exe

file.exe VirusTotal: Trojan Hiloti 7/38 (18.43%)

InternetAntivirusPro.exe VirusTotal: Fake AV 2/39 (5.13%)

Redirector: gosidescan.com

[Malware-Web-Threats]

209.44.126.14 - Fake Antivirus

Code: [Select]

hxxp://anytoplikedsite.com/download.php
hxxp://anytoplikedsite.com/installpv.exe
hxxp://topsecurity4you.com/download.php
hxxp://topsecurity4you.com/installpv.exe
hxxp://cleanyourpcspace.com/download.php
hxxp://cleanyourpcspace.com/installpv.exe
hxxp://fullsecurityshield.com/download.php
hxxp://fullsecurityshield.com/installpv.exe

VirusTotal 13/40 (32.50%)
VirusTotal 6/40 (15%)
VirusTotal 5/40 (12.5%)
VirusTotal 6/40 (15%)
installpv.exe - VirusTotal 6/40 (15%)

[MysteryFCM]

Cheers

[Malware-Web-Threats]

66.197.154.199

Code: [Select]

hxxp://log6scan.info/download/install.php
hxxp://scan6log.info/download/install.php
hxxp://mainscan6.info/download/xp/install.php


VirusTotal: Trojan TDSS 7/40 (17.5%)
VirusTotal: Trojan TDSS 7/40 (17.5%)
VirusTotal: Trojan TDSS 4/40 (10%)

63.146.2.92

Code: [Select]

hxxp://newscan4.info/download/install.php
hxxp://scansafe4.info/download/install.php

VirusTotal: Trojan TDSS 7/40 (17.5%)
VirusTotal: Trojan TDSS 7/40 (17.5%)

209.44.126.14

Code: [Select]

hxxp://trustsecurityshield.com/download.php
hxxp://trustsecurityshield.com/install/ws.zip
hxxp://trustsecurityshield.com/install/installpv.exe

VirusTotal: Trojan 7/40 (17.5%)
VirusTotal: Fake AV 11/40 (27.5%)
VirusTotal: Trojan 3/40 (7.5%)

[Malware-Web-Threats]

66.197.154.199

Code: [Select]

hxxp://gen6in.com/download/file.exe
hxxp://gen6in.com/download/InternetAntivirusPro.exe
hxxp://Gen6iz.com/download/file.exe
hxxp://Gen6iz.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS 4/40 (10%)
VirusTotal: FakeAV 2/40 (5%)
VirusTotal: Trojan TDSS 4/40 (10%)
VirusTotal: FakeAV 2/40 (5%)

[Malware-Web-Threats]

66.197.154.199

Code: [Select]

hxxp://main6scan.info/download/install.php
hxxp://scanlog6.info/download/install.php

VirusTotal: Trojan TDSS 6/40 (15%)

Same file

File size: 40960 bytes
MD5: b1467bfa3a5bd8a50d95ca543e296799

[Malware-Web-Threats]

redirection

209.200.124.200

Code: [Select]

hxxp://bikervoice.com/index.php?option=com_content&view=category&id=1&Itemid=50

redirection

212.24.54.3

Code: [Select]

hxxp://traf.ws/?p=fattaft

91.212.65.10 (fake scan page)

Code: [Select]

hxxp://free-web-scaners.info/disk/?code=170
hxxp://free-web-scaners.info/scan/?

91.212.65.10 (fake av)

Code: [Select]

hxxp://trucount3000.com/cgi-bin/install.pl?adv=170
install.exe VirusTotal: Trojan 5/40 (12.5%)

file renamed to frmwrk32.exe after infection (Anubis Analysis)

Redirection Analysis

[Malware-Web-Threats]

91.212.41.96

Redirect to rogue - Wepawet Analysis

Code: [Select]

http://xh.kaktotak.net/in.cgi?9&tsk=id778-29mar09-r35
63.146.2.92

Code: [Select]

hxxp://scantool4.info/download/install.php
VirusTotal: Trojan TDSS - 8/40 (20%)

66.197.154.199

Code: [Select]

hxxp://scan6step.com/download/install.php
hxxp://scanlite6.com/download/install.php

VirusTotal: Trojan TDSS - 8/40 (20%)
VirusTotal: Trojan TDSS - 8/40 (20%)

91.212.41.110

Another redirection: Wepawet Analysys

Code: [Select]

hxxp://ysh.soulmosp.cn/in.cgi?9&tsk=id775-27mar09-r35

[Malware-Web-Threats]

63.146.2.92

Redirectors to rogue

Code: [Select]

hxxp://gomindscan.com

66.197.154.199

Code: [Select]

hxxp://goluxscan.com

Redirection Analysis
Redirection Analysis

[Malware-Web-Threats]

84.16.227.223

Code: [Select]

hxxp://theonlinesecurityscan.com/download.php
hxxp://theonlinesecurityscan.com/download/ws.zip
hxxp://theonlinesecurityscan.com/download/installpv.exe

VirusTotal: Trojan 10/40 (25%)
VirusTotal: Trojan 13/40 (32.5%)
VirusTotal: Trojan 8/40 (20.00%)

Redirectors

Code: [Select]

hxxp://theonlinesecurityscan.com/hitin.php

195.88.81.93 - Fake Scanner Page

Code: [Select]

hxxp://msscanner-top-av.com/200109/scan/

78.26.179.137

Code: [Select]

hxxp://files.ms-loads-av.com/exe/setup_1_2_1.exe

VirusTotal: Fake AV 5/40 (12.5%)

[Malware-Web-Threats]

209.44.26.14 - Rogue Fake Antivirus

Code: [Select]

hxxp://securityscan4you.com/download.php
hxxp://securityscan4you.com/install/installpv.exe
hxxp://securityscan4you.com/install/ws.zip

VirusTotal: Trojan 12/37 (32.44%)
VirusTotal: Trojan 9/36 (25%)
VirusTotal: Trojan 15/37 (40.55%)

[Malware-Web-Threats]

66.197.154.199 - Redirectors

Code: [Select]

hxxp://gotipscan.com
hxxp://goscanlux.com

66.197.154.199 - Payload

Code: [Select]

hxxp://scan6lite.com/download/install.php

VirusTotal: Trojan TDSS 13/39 (33.34%)

66.206.17.28 - Payload

Code: [Select]

hxxp://scan6user.com/download/install.php

VirusTotal: Trojan TDSS 27/40 (67.5%)

[Malware-Web-Threats]

63.146.2.92 (Fake Antivirus)

Code: [Select]

hxxp://tool4scan.info/download/install.php
VirusTotal: Trojan TDSS / InternetAntivirusPro 8/40 (20.00%)

[Malware-Web-Threats]

63.146.2.92 - Rogue Fake AV

Code: [Select]

hxxp://scan4mini.com/download/install.php
hxxp://scan4star.com/download/install.php

Same file

File Name: install.exe
MD5: d6d929af1d4e28b43122a820f87d85dc

1) Anubis
2) Anubis

VirusTotal: Trojan TDSS 10/39 (25.65%)

[Malware-Web-Threats]

209.44.126.14

Redirector:

Code: [Select]

hxxp://firstscansecurity.com/hitin.php
hxxp://firstscansecurity.com/in.php
hxxp://firstscansecurity.com/page.php

Trojan:

Code: [Select]

hxxp://firstscansecurity.com/download.php
hxxp://firstscansecurity.com/install/installpv.exe
hxxp://firstscansecurity.com/install/ws.zip

VirusTotal - 28/40 (70%)
VirusTotal - 2/39 (5.13%)
VirusTotal: - 4/40 (10%)

Redirector:

Code: [Select]

hxxp://myfirstsecurityscan.com/hitin.php
hxxp://myfirstsecurityscan.com/in.php
hxxp://myfirstsecurityscan.com/page.php

Trojan:

Code: [Select]

hxxp://myfirstsecurityscan.com/download.php
hxxp://myfirstsecurityscan.com/install/installpv.exe
hxxp://myfirstsecurityscan.com/install/ws.zip

VirusTotal - 17/40 (42.5%)
VirusTotal - 2/10 (5%)
VirusTotal - 13/40 (32.5%)

Redirector:

Code: [Select]

hxxp://mytopvirusscan.com/hitin.php
hxxp://mytopvirusscan.com/in.php
hxxp://mytopvirusscan.com/page.php

Trojan:

Code: [Select]

hxxp://mytopvirusscan.com/download.php
hxxp://mytopvirusscan.com/install/installpv.exe
hxxp://mytopvirusscan.com/install/ws.zip

VirusTotal - 19/40 (47.5%)
VirusTotal - 2/40 (5%)
VirusTotal - 14/40 (35%)

84.16.227.223

Code: [Select]

hxxp://theonlinesecurityscan.com/download.php
hxxp://theonlinesecurityscan.com/install/installpv.exe
hxxp://theonlinesecurityscan.com/install/ws.zip

VirusTotal - 26/40 (65%)
VirusTotal - 2/40 (5%)
VirusTotal - 1/40 (2.5%)

194.165.4.41

Code: [Select]

hxxp://scanbest6.com/download/install.php

VirusTotal - 16/40 (40%)

63.146.2.92

Code: [Select]

hxxp://scanmix4.com/download/install.php

VirusTotal - 13/40 (32.50%)

66.197.154.199 - Redirect to rogue

Code: [Select]

hxxp://gofanscan.com

91.212.41.110 - Redirect to rogue

Code: [Select]

hxxp://goldrushclub.cn/in?cgi?6
hxxp://anti.greenhistory.cn/in.cgi?6

91.212.41.111 - Redirect to rogue

Code: [Select]

hxxp://a.goldrushclub.cn/in?cgi?6