Recent Posts
ThreatFire Research Blog
Return To Blog Listing
Blog from the threat research team at Threatfire about computer security.
Recent Posts Tagged With 'fakealert'
Past the Second Half of 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009. Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the ...
Malware Attacks on Windows 7
Yesterday's release of Windows 7 brings with it a different playground for malware.If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest...
NY Times FakeAv Banner Ads Certainly not New
The banner ads allegedly rotating through the NY Times website over the weekend delivered FakeAv/Rogueware from servers that have been delivering the same stuff since around July 19th. The current Url over the weekend was protection-check07. com, but...
Total Security and pav.exe
Previous posts showed spam-based scams attempting to deliver a payload named "pav.exe" onto your system. The scam is continuing with the title "Total Security" for the familiar scareware messages. Be aware that there is a legitimate security suite th...
Downloader Updates
Around the 17th of this month, the relentless malware distribution gang serving up malicious downloaders in a variety of scams and "headline malware" schemes moved their wares from 95.211.8.20, as described in a previous post, to their newest locatio...
Pav.exe is not a Personal Touch You're Looking For
Rogueware of the week: Personal Anti-VirusThe distributors of this scareware, FakeAv, Rogueware, Fakealert (whatever you want to refer to it) software recently have chased headline events as we posted here. As the distributors repack the binaries for...
Cutwail/Pandex reader_s.exe Continues to Deliver Spambots and mmx Evasions throughout Shutdowns
Cutwail (also known as Pandex) malware is not a new family name on the bot scene. However, the Cutwail/Pandex botnet is described as one of the largest and most active botnets currently known. This resilient botnet managed to bounce back after both t...
When Is Flash-Plugin not a Flash Plugin?
When it's a FakeAv/Rogueware downloader, of course. An interesting note about the malware served from the ongoing malware operation recently moved to 95.211.8.20 and is covered in many previous posts...since August 1st, the group now serves up execut...
Shameless SEO Based on Jakarta Bombing Incident
John Bambenek over at the Handler's diary posted on this morning's shameless SEO attempts to redirect news seekers to exploit pages. The end result on a successfully compromised system is a download of FakeAv (or "scareware"). Currently, its name is ...
Ongoing Downloader Activity, Now at 64.20.38.172
The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group ...
itsecure.microsoft.com?
Your browser could be redirected to antivir-systempro.com, and you could be fooled into buying something from a spoofed website, following a driveby attack on your system. Or, a piece of malware could edit your hosts file and open a window to a legit...
Streamviewer.exe, Tubeviewer.exe, Tubeplayer.exe, now Onlinemovies.exe!
The gang serving up malicious downloaders from a couple of servers just spiced things up, changing streamviewer and softwarefortubeview to "onlinemovies.40008.exe" to the list of obnoxious files served from 64.20.38.172. Av detection is very low. It...
FakeAv Settlement
The Ftc recently settled against a FakeAv purveyor. While this settlement won't remove all of the variants out there, it is welcome news nonetheless with ongoing progress and the caselist here. The fewer distributors of XP Antivirus the better: "The ...
Wanna See Harry Potter and the Half-Blood Prince?
You're going to have to wait for it to come out. And if you don't, you may be sorry you didn't wait.The group pushing blackhat SEO tactics to abuse the most popular networks, including digg.com, blogspot.com and others, continues to prey on those int...
Warning! The media system on your computer is corrupt.
No, probably not. This fake alert most likely has to do with the streamviewer exe that you downloaded and ran.We've been monitoring a FakeAv/Koobface/spyware delivery scheme, and today the group dropped their standard FakeAv moneymaker and added a se...
Softwarefortubeview Moves to a New Home at 65.110.50.141
We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware.Please note that their downloaders have been moved to a new home at 65.110.50.141. There are multiple domains currently resolving to that i...
Undetected Autorun/Injector Variant on the Loose
A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.ne...
Brunga.at Facebook Phish
While no product protects against absolutely everything, a couple of technical support people here had links sent from their friends to their Facebook account, telling them to check out "Brunga. at". (Do not visit this site right now to fill out logi...
SoftwareForTubeview Codec Scheme's Continued Success
A rogueware distribution gang known for their use of well known Rbn services and phishing scams continue to maintain a couple of the busiest servers in our daily prevented malware lists. Starting on May 6th, the group moved their downloaders and mal...
Windows Security Center and Virus (I-Worm.Trojan.b)
What is a virus i-worm trojan anyways? Well, it's not a legitimate detection with a valid CARO name, it's gibberish to lead a user to "Click 'Ok' to Install System Security Antivirus", either on XP:Or with a more sleek look on Vista:The distributors ...
LuckySploit Links Sent over Gaming Collaboration Clients
Links to LuckySploit exploit pages are being sent over gaming collaboration tools with the end goal of installing rogueware/scareware Spyware Protect 2009, still being hosted at antiwareprotect.com:Name: antiwareprotect.comAddress: 91.212.65.122i...
Hosts File Modifications Lead to Phony AntiVirus 2010 Reviews
The distributors of rogueware bundle Antivirus 2010, replacing last year's scam AntiVirus 2009, brazenly are re-using another HOSTS file modification, adding another twist to their scheme. ThreatFire currently is preventing an installer in fairly hig...
browser-security.microsoft.com Hosts File Modification
The ThreatFire community is preventing an unusual hosts file modification in higher prevalence than usual that seems to be related to "Spyware Protect 2009". On unprotected systems, the end result can be that your browser appears to be visiting "brow...
Tubeplayer.ver.6.exe -- Fakealert Downloader Sites
We've been watching a long list of domains that serve up whatever filename you give them, but they provide nothing but a good old fashioned Rogueware downloader, which sometimes goes by the family name Trojan-Downloader.Renos, or Trojan.Fakealert. It...
Who Gave These Guys a Cert?
Xxx41.exe is a filename commonly associated with a trojan-downloader family that we've seen prevented all over the community for the past couple of weeks. It sometimes is dropped and run by phony video codecs with names like "moviecodec.278.exe", "k-...
Microsoft Files Complaints Against Scareware (Rogueware) Makers
While we've been calling it Rogueware for years around here, Microsoft and the state of Washington Attorney General's office is filing a set of complaints against "scareware" makers. It's interesting that lawsuits can be filed against "John Doe" acto...
Fakealert Droppers
A high number of Fakealert droppers are showing up on the radar today and yesterday. A crack under the name "crack_ver1.454.0.exe" in a "zebradesigner pro.zip" package is being distributed from a fairly popular crack site. The standard phony codec di...
MultyCodecUpgr.7.exe Is Not What You Think It Is
If you download and plan on running what you think is a codec named "multycodecupgr.7..exe", you should be aware that users have been effected by this phony codec over the weekend and today in surprisingly high numbers. The file drops a couple of exe...
Spyware Detected on Your Computer!
Not really. See previous post. This scheme has been ongoing this year.Unfortunately, if this one has run on your system, System Restore points have been deleted from the system and a new restore point created post infection. Cleanup will be a bit mor...
You Have a Security Problem
If you see the above message popping up on your system, you most certainly do. The creators of Antivirus 2008 have updated their system of delivering fraudulent and inaccurate alerts to users around the world, following up their 2008 money maker with...
