Monday, September 22, 2008

Zlob fake codec updates

Here are some more Zlob domains:

soft-download-channel.com (66.232.126.193)
liveupdateservice.cn (91.203.92.47)


And, here's one more domain that offers fake MP3 files for download. The MP3 files are actually Zlob fake codecs hosted at mediamswares.com (info here):

mp3lized.com (78.157.143.200)

Sunday, September 21, 2008

Zlob fake codec updates

New Zlob fake codec domains:

theprivatetube.com (78.157.143.191)
softload2008jq.com (78.157.143.250)
91.203.93.26

Saturday, September 20, 2008

Zlob fake codec updates

More fake codec distributing domains:

http://xh-codec.net (78.157.142.111)
http://mediamswares.com (77.91.231.183)
http://movsdlls.com (77.91.231.201)

Saturday, September 13, 2008

Total Secure 2009 and Google search poisoning

Total Secure 2009 is one of the new batch rogue security applications. The installer of Total Secure 2009 generally masquerades itself as a fake codec (Zlob!) and gets registered as a BHO for Internet Explorer. Here's a HijackThis entry for one of such BHO:

O2 - BHO: Apaps - {EC748705-E0FD-4671-9AFF-890579E57450} - C:\WINDOWS\system32\gaspt.dll

This BHO poisons the Google search results, so that first few results are always redirected to Total Secure 2009 download links. Here's an example of search result poisoning by Total Secure 2009 dropper:



You can follow the steps given here to get rid of this malware.

Zlob fake codec updates

These are some new Zlob pushing domains:

free-download-basez.com (74.50.117.68)
wmmsupdate.com (77.91.231.201)
metavideotube.com (78.157.143.191)
codecdownload.trustedsoftportal07.net (74.50.117.89)
softload2008mx.com (78.157.143.250)
downloadtorun.com (91.203.93.25)


Stay away from them ;)

Thursday, September 11, 2008

More fake MP3 download sites

Few months ago I had blogged about fake MP3 download sites, which were pushing Zlob and other malware. Now, here are some more domains which are utilizing this same trick!

mp3lisious.com (78.108.177.112)
Name servers:
ns1.mp3lisious.com (78.108.177.112)
ns2.mp3lisious.com (78.108.177.118)
Registrar: RegTime.net Limited
Creation date: 2008-09-10
Expiration date: 2009-09-10
Registrant: Alex Bearns
Email: alex.bearns.domain.reg@gmail.com
Organization: Private person
Address: PO Box 92
City: Prague
State: CZ
ZIP: 4729
Country: CZ
Phone: 420.221700111


highratedmp3.com (78.108.177.113)
Registration Service Provided By: ESTDOMAINS INC
Website: http://www.estdomains.com
Domain Name: HIGHRATEDMP3.COM
Registrant: Evgenij Dobrolubov clip@neverseenclips.com
ul Sovetskaja 89
Toljati
Not Applicable 445000
RU
Tel. 7.8482485109
Creation Date: 30-Jun-2008
Expiration Date: 30-Jun-2009
Domain servers in listed order:
ns2.highratedmp3.com
ns1.highratedmp3.com
Status: ACTIVE




The MP3s offered for download are actually Zlob fake codecs hosted at wplayerware.com.

Zlob fake codec updates

Here are some of the latest Zlob distributing domains:

favoritetube.net
trustedware.com
wplayerware.com
codecdownload.trustedsoftportal2009.net

Tuesday, September 09, 2008

Zlob fake codec updates

Here are some more new Zlob pushing websites:

http://gothotvidtosee.com
http://imagesaccess.com
http://myveryprivatevid.com
http://watchmovie2009.com
http://softload2009.com
http://www.pwrware.com
http://yebanulisohuenno.com
http://u-software-online.com


And, VirusTotal scan results of malware pushed by above-mentioned sites, can be found here, here and here.

AntiVirus 2009 updates

Here's one more site pushing AntiVirus 2009 rogue security software:

http://googlescanners-360.com/



AntiVirus 2009 replaces the actual Windows Security Center applet in Control Panel with a fake version, which contains links to dubious websites. This Control Panel applet is named as scui.cpl, whereas the original applet is named wscui.cpl. See if you can spot the not in the below screenshots ;)



Antispyware Pro XP

One more rogue application, called Antispyware Pro XP, is out in the wild. The fake online scanner at http://scan.antispyware-free-scanner.com/ looks like this:



It pushes an installer that is hosted at http://files.as-pro-xp-download.com/. This installer downloads the actual rogue application executable.



And, finally the rogue application looks like this!



Detections for the installer and rogue executable are not very good at this moment. VirusTotal scan results of the installer and rogue application executable can be found here and here respectively.

Monday, September 08, 2008

Zlob fake codec updates

Here are some new Zlob peddling sites:
http://soft-upgrade-network.com
http://tube-911.com


The fake codec is named as LcodecPlus and detections are not good at this point of time:

File LcodecPlus.v.1.0.exe
Avast - Win32:Agent-ABHP
GData - Win32:Agent-ABHP
Microsoft - TrojanDownloader:Win32/Renos.Y


Complete VirusTotal scan report can be found here.

Sunday, September 07, 2008

PrivateContent and fake Google Toolbar BHO

The gang behind rogue security software has taken new approach to peddle malware. Instead of fake codecs, now they are offering some kind of "Access Code Generator" called PrivateContent, using which one can supposedly access online videos. Obviously, this access code generator is a fake!



PrivateContent.exe is hosted at http://teens.niche-planet.com and is not very well detected as of now. Here's the VirusTotal scan result (complete scan results can be found here):

File PrivateContent.exe
AntiVir 7.8.1.28 - TR/Drop.Agent.vsu
Prevx1 V2 - Malicious Software
Webwasher-Gateway - Trojan.Drop.Agent.vsu


PrivateContent.exe drops a DLL named googletoolbar1.dll in %ProgramFiles%\Google\ directory. This DLL is registered as an Internet Explorer BHO. HijackThis entry for this BHO is as shown below:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4D91-8333-CF10577473F7} - C:\Program Files\Google\googletoolbar1.dll

Surprisingly, this fake googletoolbar1.dll is not detected by any of the AVs at VirusTotal (scan results can be found here).

Googletoolbar1.dll generates popups/ads and tries to install rogue security software. Check out below screenshots which show fake googletoolbar1.dll in action!



Saturday, September 06, 2008

Fake Windows Media Player!

Here's a rogue website which fakes Windows Media Player. This time, gang behind these websites has given good amount of attention-to-detail for their fake Windows Media Player. This fake player initially tries to "search" for codecs in update.microsoft.com and then offers a codec (fake, obviously!) for download. Here are some of the screenshots of fake player:







The codec is named as Megazcodec and is hosted at http://megazcodec.com. Megazcodec is yet another Zlob/DNSChanger variant; however it is not well detected as of now. The VirusTotal report is as shown:

File megazcodec.v3.104.exe
AntiVir 7.8.1.28 - TR/Dropper.Gen
BitDefender - Trojan.DNSChanger.VD
Ikarus - Win32.SuspectCrc
Sunbelt 3.1.1610.1 - Media Code, Inc (v)
Webwasher-Gateway - Trojan.Dropper.Gen


Complete VirusTotal scan result can be found here.

Zlob fake codec updates

Here are some of the new Zlob pushing websites:
http://getqtysoftware.com
http://softwareportal2008.com
http://www.favoredmovie.com
http://megazcodec.com
http://www.plupdate.com

Stay away from these sites...

Thursday, September 04, 2008

Windows Filtering Platform (WFP) user mode examples

So far, in Windows 2000/XP/2003 operating systems the packet filtering APIs (PfXxx APIs) were used to implement TCP/IP packet filtering applications and firewalls. However, these PfXxx APIs are discontinued in Windows Vista/2008! But, Vista contains a completely new filtering engine called Windows Filtering Platform (WFP). The WFP gives various APIs using which packet filtering can be achieved. I thought of writing a simple class which encapsulates these APIs. It might help if you are planning to use WFP APIs. The article can be found here. That article is just a starting point, and you can do much more things with WFP. These are some of the pages which give information about WFP:
WFP Management API Reference
WFP structures Reference
Windows SDK 2008
Visual Studio 2008