NoVirusThanks Blog » Rogue Software

Massive number of blogs hacked for Blackhat SEO

admin — Tue, 08 Jun 2010 00:24:29 +0000

We noticed a new high number of blogs (more than 60) hacked for massive blackhat SEO strategies used to redirect users to fake scanner pages that will prompt the users to download a rogue security software named Security Master AV. This is a small list of hacked websites we have found that host malicious scripts used to capture keywords and redirect users to dangerous websites:

URLVoid Report gubserfarms. com
URLVoid Report buenapetito. net
URLVoid Report renurestoration. com
URLVoid Report robertsawards. biz
URLVoid Report practicumgroup. com
URLVoid Report renedaalder. com
URLVoid Report niteczka.com. pl
URLVoid Report deliciouz. com
URLVoid Report calicompras. com
URLVoid Report fonet.co. za
URLVoid Report rocahosting. com
URLVoid Report hillarynan. com

When the user search a specific keyword in a search engine, on the first pages we can see websites that contain .php scripts in the /images/ folder … this looks like a bit suspicious:

1 2	/images/trend.php?page=keyword Host: www.gubserfarms. com

As response we get a HTTP/1.1 200 OK and there is a redirection in the META HTTP-EQUIV that points to another dangerous link:

1	URL=hxxp://ghostroadpress. com/xredir.php?uid=2033">

Most of the hacked websites point to ghostroadpress. com (URLVoid Report) and we noticed that it contains always a link to another suspicious website that looks like to be used for statistics:

1	ctrash.byethost4. com/tick.php?sub=1&r=

URLVoid Report ctrash.byethost4. com

Now we get redirected again to another URL:

1 2	HTTP/1.1 302 Moved Temporarily Location: hxxp://www3.smartbestav4. co.cc/?p=p52dc

URLVoid Report www3.smartbestav4. co.cc

It is not over! We get again a redirect to another URL:

1 2	HTTP/1.1 302 Moved Temporarily Location: hxxp://www1.avscaner-34pr. co.cc/?p=xxx

URLVoid Report www1.avscaner-34pr. co.cc

And finally we get the fake scanner page:

A common action of these fake scanner page is that it is always loaded a .js script that as filename it has an hash:

1	GET /107aee58f4ea1267e6735c8fb0c51431bd8c3010411.js HTTP/1.1

When we click in any place of the fake scanner page we get again redirected to a new page that will prompt the download of the setup file of the rogue security software named Security Master AV.

1 2	HTTP/1.1 302 Moved Temporarily Location: hxxp://www2.zonecleaner-87pd. co.cc/zsnd107_2033.php?p=

URLVoid Report www2.zonecleaner-87pd. co.cc

Here we can see a screenshot of the setup file that is trying to download and install the rogue security software in our system:

This is an image of the installed Security Master AV:

And these are the files created during the installation process:

After the installation finished to install the rogue security software, the program established various connections with these VERY dangerous websites:

URLVoid Report update1.free-guard. com/index.php?def387=
URLVoid Report update1.free-guard. com/xp_2b2ff.exe
URLVoid Report www1.detector11-pr. co.cc/hch107_2033.php?p=
URLVoid Report www5.securitymasterav. com
URLVoid Report secure2.protectzone. net/?abbr=SMAV&pid=3
URLVoid Report report.zoneguardland. com
URLVoid Report report.goodguardz. com
URLVoid Report secure1.protect-zone. com/?abbr=SMAV&pid=3
URLVoid Report report.myfairland. com
URLVoid Report report1.stat-mx.xorg. pl
URLVoid Report report.land-protection. com

Be always careful while searching for any kind of keywords in Search Engines!

Privacy Commander – Rogue software

admin — Thu, 04 Dec 2008 22:13:53 +0000

Privacy Commander is another software that look like a security tool, but it will show you only false virus detections only to puch you into buy the full version. In my case, the malicious software showed me also files that where not present in my system and there was frequently popups that showed me always false virus detections that the software claimed to found in my system.

The installer file was named install.exe and below there is the report of the scanner:

Report Generated 4.12.2008 at 23.04.10 (GMT 1)
Time for scan: 47 seconds
Filename: install.exe
File size: 1693 KB
MD5 Hash: ADEA5D67CF489ED35E968B28A5EE422E
SHA1 Hash: 6D46083580558C81233CD5EB34A0543751F56316
CRC32: 756827256
Application Type: Executable (EXE) 32bit
Packer detected: Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 2 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
MHR (Malware Hash Registry) Nothing found!
NOD32 v3 probably unknown NewHeur_PE virus
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Sus/Behav-269
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

Some images of the installed software:

If you are infected by this malicious software and you need to remove it I suggest you to try this remover:

How to remove Spy Protector

admin — Fri, 07 Nov 2008 22:29:57 +0000

Spy Protector is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Once your computer is infected with this parasite, it will immediately displays security warnings, alerts and system scans stating that your computer is heavily infected. These warnings are all false and are only displayed to make you think your computer is truly infected and that it is necessary to buy the full version of the software to remove the so-called infections.

Make sure to not fall in this scam, if your computer is infected with Spy Protector, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process srcss.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

Malicious web sites and urls:

1	spy-protector.org

When the program is executed, it creates the following files:

%ProgramFiles%\Spy Protector
%UserProfile%\Application Data\install.exe
%UserProfile%\Application Data\shellex.dll
%UserProfile%\Application Data\srcss.exe
%UserProfile%\Application Data\SpyProtector
%UserProfile%\Application Data\SpyProtector\SC_Base_new.dat
%UserProfile%\Application Data\SpyProtector\SC_Config.ini
%UserProfile%\Desktop\Spy Protector.lnk
%UserProfile%\Start Menu\Programs\Spy Protector
%UserProfile%\Start Menu\Programs\Spy Protector\Purchase License.url
%UserProfile%\Start Menu\Programs\Spy Protector\Spy Protector.lnk
%UserProfile%\Start Menu\Programs\Spy Protector\Support Page.url

The program creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\SpyProtector
HKCR\*\shellex\ContextMenuHandlers\Spy Protector
HKCR\Directory\shellex\ContextMenuHandlers\Spy Protector
HKCR\Drive\shellex\ContextMenuHandlers\Spy Protector
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spy Protector

How to remove XPShield (manual removal) ?

Kill all the Spy Protector processes
Unregister all the Spy Protector DLLs
Delete all the Spy Protector files
Delete all the Spy Protector registry entries

How to remove Spy Protector (automatic removal) ?

Download and Install NoVirusThanks Malware Remover
Update the database
Click the button Scan
Delete infected files