Tuesday, September 29, 2009

AntivirusPlus ** Rogue Antivirus



IP address: 80.179.147.241

Domains sharing same IP address:

aclepsa-review.com
acnezinereview.net
allinmafia.com
avatrimreview.net
betsforfree.net
blogiver.com
bm-pharmacy.net
budget-medicine.net
budgetmedicines-review.com
buy-generic-viagra-online.net
buy-soma-online.net
buylevitraonlineviagra.com
buyonlinezocor.com
buysibutramine.net
buysildenafil.net
buyzolpidem.net
buyzolpidemtartrate.net
cheaptadalafil.net
clearporesreview.net
extenzepills.net
ez-forum.net
forumaker.com
freebetsonline.net
gamez4free.net
generic4u.net
genf20.net
himurim.net
home-b.net
jewelry-reviews.net
jewelry-store4u.com
levitrasoftabs.com
lotensin.net
mail.acnezinereview.net
mail.avatrimreview.net
mail.bm-pharmacy.net
mail.budget-medicine.net
mail.buy-generic-viagra-online.net
mail.buy-soma-online.net
mail.buysibutramine.net
mail.buysildenafil.net
mail.buyzolpidem.net
mail.buyzolpidemtartrate.net
mail.cheaptadalafil.net
mail.clearporesreview.net
mail.extenzepills.net
mail.ez-forum.net
mail.gamez4free.net
mail.generic4u.net
mail.genf20.net
mail.himurim.net
mail.home-b.net
mail.jewelry-reviews.net
mail.lotensin.net
mail.maleenhancementpatch.net
mail.maxodermreview.net
mail.medicationsinformation.net
mail.nicocurereview.net
mail.noprescriptionzocor.net
mail.orderacomplia.net
mail.orderlevitraonline.net
mail.ordertramadolonline.net
mail.overseas-pharmacy.net
mail.pharmacy-medicine.net
mail.phenterminewithoutprescription.net
mail.provillusreview.net
mail.semenaxreview.net
mail.sizepropills.net
mail.sodiumhyaluronate.net
mail.treatbaldness.net
mail.uploads4free.net
mail.vimaxpills.net
mail.voltaren.net
mail.winnerp.net
mail.zolpidem-tartrate.net
maleenhancementpatch.net
maxodermreview.net
medicationsdictionary.com
medicationsinformation.net
meridiawithoutprescription.com
nicocurereview.net
noprescriptionzocor.net
norvascnoprescription.com
orderacomplia.net
ordergenericxanaxonlinewithnoprescription.com
orderlevitraonline.net
orderphentermineonlinenoprescription.com
orderphenterminewithoutaprescription.com
ordertramadolonline.net
orderxanaxnoprescription.com
overseas-pharmacy.net
pharmacy-medicine.net
pharmacynoprescriptionnorvasc.com
phenterminenopriorprescription.com
phenterminepurchasewithoutaprescription.com
phenterminewithoutprescription.net
pheterminenoprescription.com
propecianoprescription.com
prosolutionpill.net
provillusreview.net
proxyvibe.com
prozacnoprescription.com
prozacwithoutprescription.com
purchasephenterminewithoutaprescription.com
rimonabantnoprescription.com
semenaxreview.net
sizepropills.net
sodiumhyaluronate.net
somanoprescription.com
somawithoutaprescription.com
treatbaldness.net
uploads4free.net
viagaranoprescription.com
viagranoprescription.com
vimaxpills.net
voltaren.net
winnerp.net
xanaxonlinewithoutprescription.com
xanaxwithoutpriorprescription.com
zoloftnoprescription.com
zoloftwithoutprescription.com
zolpidem-tartrate.net



IP address: 206.217.201.136

Domains sharing same IP Address:

50firstdates.cn
6cleanspyware.com
8removespyware.com
astro-boy.cn
baconguide.cn
beastiy-boys.cn
delete-all-virus05.com
greece-tours.cn
hellogoodby.cn
james-taylor.cn
jeremy-kyle-now.cn
johnlennon2009.cn
playing-sports.cn
soccercron.cn
teacherslounge.cn
the-eagles.cn
www.baconguide.cn


IP Address: 195.95.151.185

Domains sharing same IP address:

scan.prescansecurepc.com
scan.thehyperpcsecurity2.com
scan.howtosecyourpcsnow.com

Access America CardMember Lead to Rogue Antivirus

America Bank Card Member:

Access America Bank Cardmember Access america bank cardmember Bank of america no annual fee es credit cards - compare bank of america access to special cardmember offers from american express to save on shopping, dining, travel.

When you type "Access America CardMember" in Google search, it will resulting with red icon appears (mywot). : )



Below are few sites rated as "red" by mywot

hxxp://ckxaq.myip.hu/access-af5/undof.html
hxxp://1st-bank.vubujoj.345.pl/rsutharene.html
hxxp://banking-and.podomab.osa.pl/dowald.html
hxxp://bank-commercial.hegupah.osa.pl/jonfonghord.html
hxxp://swift-code.jepogop.bij.pl/ithexign.html



Well....those are the content. In fact, there have script that running behind when browsing to this website..and redirecting to Rogue Antivirus pop-up messages that warning user that their systems has been infected with malware and must clean their system. Users are prompted to download fake antivirus softwares.
"installer.90001.exe" md5: edf88a11fd44f1955180f34be24c5dd9




Virustotal Result:

Detection for the Rouge Antivirus is very low.


Virustotal result

IP address: 91.213.29.250

Domains sharing same IP address:

golary.cn
gombely.cn
gopawu.cn
gopiby.cn
goqfap.cn
gortuwe.cn
gotceyr.cn
gotuqjy.cn
govaqip.cn
gowyti.cn
goxweyc.cn
gubcyil.cn
gubywef.cn
gudxyv.cn
gugema.cn
gugkyaf.cn
gujdywa.cn
gurqyak.cn
gutciko.cn
guxryac.cn
gybukop.cn
gybwuv.cn
hagnuor.cn
haronpi.cn
idoafy.cn
idyzok.cn
ifypeod.cn
igayzde.cn
igivor.cn
igouhxe.cn
iguyzmo.cn
ihaegup.cn
ihagoin.cn
ihogedi.cn
ihuqoyr.cn
ijakony.cn
ijepiyq.cn
ijobuaw.cn
ijuoxe.cn
ikoiwe.cn
ikuaxge.cn
ikylami.cn
ileufby.cn
iloefe.cn
iluefot.cn
imyadoc.cn
ipoxyid.cn
iqaotfy.cn
iqevun.cn
iqidoh.cn
iqoyxab.cn
iraqicu.cn
iwyhuda.cn
mail.golary.cn
mail.gombely.cn
mail.gopawu.cn
mail.gopiby.cn
mail.goqfap.cn
mail.gortuwe.cn
mail.gotceyr.cn
mail.gotuqjy.cn
mail.govaqip.cn
mail.goxweyc.cn
mail.gubcyil.cn
mail.gudxyv.cn
mail.gugema.cn
mail.gujdywa.cn
mail.gurqyak.cn
mail.gutciko.cn
mail.guxryac.cn
mail.gybukop.cn
mail.gybwuv.cn
mail.hagnuor.cn
mail.haronpi.cn
mail.idyise.cn
mail.idyzok.cn
mail.ifypeod.cn
mail.igayzde.cn
mail.igivor.cn
mail.igouhxe.cn
mail.ihaegup.cn
mail.ihagoin.cn
mail.ihogedi.cn
mail.ihuqoyr.cn
mail.ijakony.cn
mail.ijepiyq.cn
mail.ijobuaw.cn
mail.ijuoxe.cn
mail.ikoiwe.cn
mail.ikuaxge.cn
mail.ikylami.cn
mail.ileufby.cn
mail.iloefe.cn
mail.iluefot.cn
mail.imyadoc.cn
mail.ipemuw.cn
mail.ipoxyid.cn
mail.iqaotfy.cn
mail.iqevun.cn
mail.iqidoh.cn
mail.iraqicu.cn
mail.ns-free-acc7.com
ns-free-acc7.com
ns1.ns-free-acc7.com
ns2.ns-free-acc7.com
www.goqfap.cn
www.gortuwe.cn
www.gotceyr.cn
www.gotuqjy.cn
www.govaqip.cn
www.gowyti.cn
www.goxweyc.cn
www.gubcyil.cn
www.gugema.cn
www.gybwuv.cn
www.hagnuor.cn
www.idoafy.cn
www.igouhxe.cn
www.ihogedi.cn
www.ijuoxe.cn
www.iloefe.cn
www.ipemuw.cn

Saturday, September 26, 2009

Against PDF Exploit /ASCIIHexDecode /FlateDecode

PDF exploit file that crafted with malicious code that obfuscated with /ASCII85Decode and /FlateDecode are common nowadays to escape detection from normal analysis. However, recent encryption using /ASCIIHexDecode method are gaining popular.

The /ASCIIHexDecode


Related output message decrypted using "pdf-parsey.py" that contributed from Didier Steven, will be paste to Mazilla's decoder. The codes similar like figure below.

The eval() result will be end like figure below


The shellcode will downloading three malware file with different name after decoded using UCS2 decoder.

Links to download malicious files:
trombocit.com/fr2/bksv3.exe
trombocit.com/fr2/ahkmpswy3.exe
trombocit.com/fr2/cmrv3.exe




trombocit.com = 211.95.78.119

Domains sharing same IP address:

abbcp.cn
bobunium.com
byblegum.biz
hubbabybba.biz
netvisao.biz
poppka.net
ppp3ppp.biz
soft-nintend.biz
trombocit.com


Thursday, September 24, 2009

How to Maximize Malware Protection for Removable Drives

Reference: http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/

Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.

Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.

One popular way of protecting removable drives is by creating a folder or file and renaming it as AUTORUN.INF. It could enable the malware to automatically run on the system even without the users executing it. By creating this file beforehand, ideally, worms would not be able to run in this way.

However, this method is not perfect. Worms can delete the existing AUTORUN.INF file or folder, and then replace it with a malicious version. This would negate any protection placed by the user on the said file. However, by using file permissions to restrict changes, the AUTORUN.INF file can be protected more effectively.

Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.

1. Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”

2. Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively.

Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.

3. Open a command prompt (cmd.exe) and go to the root directory of your removable drive.

4. Set the folder attributes using the following DOS command:
attrib autorun.inf /s /d –a +s +r

Fake Twitter

IP Address: 220.164.144.202


*.ccmaria.com
*.freespinningwheel.com
*.isent.info
*.luckygames365.net
*.nicolepage.com
*.secure-logins01.com
2earnforever.com
apomanie.com
autoemailsystem48.com
ecomm24.info
freespinningwheel.com
informationgalore.net
isent.info
lbuzznet.com
lovachick.com
luckygames365.net
mail.2earnforever.com
mail.apomanie.com
mail.hostbp.com
mail.luckygames365.net
mail.lucycams.com
mail.mailingtonicltd.com
mail.meineapo.info
mail.meineapo.net
mail.nicolepage.com
mail.secure-logins01.com
mailingtonicltd.com
meineapo.info
nannyaupairservices.net
nicolepage.com
nonstopeblast.com
ns1.sxsx.info
ns2.sxsx.info
ppin.biz
profit-in-falling-markets.com
promoflyers.info
receptionist100.com
secure-logins01.com
sitenpromo.net
teletipp.org
texasclaimconsulting.net
tophit-cd.org
ucommand.info
usent.info
woodstockrealisations.net
www.ccmaria.com
www.freebietelegraph.com
www.grassrootsrd.com
www.informationgalore.net
www.luckygames365.net
www.teletipp.org
videos.twitter.secure-logins01.com

RegTool - Fix PC Error Spamming




IP Address: 174.133.196.162
www.regtool.com
*.errorfix.com
antimalwarevalidate.com
errorfix.com
mail.antimalwarevalidate.com
regtool.com
www.antimal om
www.errorfix.com
www.regtool.com

Wednesday, September 23, 2009

Tammy's Weight Loss Story & Dr Maxman Spamming





93.113.27.106
www.shopherenow.cn
*.amazing-resultz.com
*.colon-activia.com
*.online-shopperz.com
*.tammyslim.com
*.twostepsbuy.com
2business-store.com
4lifeshopnow.com
active-powershop.com
amazing-resultz.com
buynowspecial.com
colon-activia.com
combinationplus.com
extra-foood.com
getinside-acai.com
getreadyacai.com
happyshopnow.com
healthstorehere.com
inside-colon.com
mistique-acai.com
online-shopperz.com
online-shoptop.com
shopmagiaplus.com
special2steps.com
specialinside.com
superfood-buy.com
tammyslim.com
twostepsbuy.com
veryextraclean.com
www.amazing-resultz.com
www.colon-activia.com
www.online-shopperz.com
www.tammyslim.com
www.twostepsbuy.com
www.combinationplus.com


218.75.144.5
seikyecx.cn
*.maxgentlemanfreetrials.com
*.online-usmeds.com
*.roadhostdns.com
*.sizetrials.com
*.triallenght.com
*.virility-estore.com
maxgentlemanfreetrials.com
ns1.maxgentlemanfreetrials.com
ns1.online-usmeds.com
ns1.prestige-quality-replicas.com
ns1.serverraw.com
ns1.sizetrials.com
ns1.trialextra.com
ns1.triallenght.com
ns1.virility-estore.com
ns2.fastracedns.com
ns2.maxgentlemanfreetrials.com
ns2.online-usmeds.com
ns2.sizetrials.com
ns2.trialextra.com
ns2.triallenght.com
ns2.virility-estore.com
ns2.worlddnsforum.com
online-usmeds.com
prestige-quality-replicas.com
prevred.com
roadhostdns.com
sizetrials.com
trialextra.com
triallenght.com
virility-estore.com

Spam ** 23-Sep

IP Address: 211.95.78.84

Domains sharing same IP address:
*.aicgifgo.cn
*.aiiecupo.cn
*.aiivugko.cn
*.ailmwexo.cn
*.aimmjtlo.cn
*.aisgxxoo.cn
*.aiuvzhbo.cn
*.aixnyewo.cn
*.cruisestrong.com
*.cupdow.com
*.gullygrowly.com
*.ioahbkie.cn
*.iorsxwue.cn
*.nicecome.com
*.nicejack.com
*.superserverpro.com
acai-online-store.com
acaiberrybloom-onlinestore.com
acaielite-store.com
accessstrong.com
aiasfsro.cn
aicgifgo.cn
aicjhcto.cn
aidlydfo.cn
aifzzoko.cn
aiiecupo.cn
aiitgbmo.cn
aiivugko.cn
aijmwino.cn
aiksrppo.cn
ailmwexo.cn
ailvujko.cn
aimmjtlo.cn
aiomuqmo.cn
aiqgwhuo.cn
aiqpuylo.cn
aisgxxoo.cn
aithoulo.cn
aiuvzhbo.cn
aivvipgo.cn
aiwcetno.cn
aixnyewo.cn
catlike.nicejack.com
coloncleanse-store.com
cruisehear.com
cruisestrong.com
cupdow.com
dr-maxman-special.com
drmaxxx.com
free-edstore.com
gif44.ioahbkie.cn
greentea-onlinestore.com
guarana-onlinestore.com
gullygrowly.com
gullyzulu.com
iojxpvue.cn
iorsxwue.cn
maxgen-onlinestore.com
namegrain.com
ns1.5-2005-search.com
ns1.acaielite-store.com
ns1.aicjhcto.cn
ns1.aiiecupo.cn
ns1.aiivugko.cn
ns1.aijmwino.cn
ns1.aiksrppo.cn
ns1.ailmwexo.cn
ns1.aimmjtlo.cn
ns1.aiomuqmo.cn
ns1.aisgxxoo.cn
ns1.aithoulo.cn
ns1.aiuvzhbo.cn
ns1.aivvipgo.cn
ns1.aixnyewo.cn
ns1.cupdow.com
ns1.dr-maxman-special.com
ns1.gullygrowly.com
ns1.gullyzulu.com
ns1.iojxpvue.cn
ns1.superserverpro.com
ns2.acaielite-store.com
ns2.accessstrong.com
ns2.aicjhcto.cn
ns2.aiiecupo.cn
ns2.aiivugko.cn
ns2.aijmwino.cn
ns2.aiksrppo.cn
ns2.ailmwexo.cn
ns2.aimmjtlo.cn
ns2.aiomuqmo.cn
ns2.aiqgwhuo.cn
ns2.aisgxxoo.cn
ns2.aithoulo.cn
ns2.aiuvzhbo.cn
ns2.aixnyewo.cn
ns2.cupdow.com
ns2.dnsoffsite.com
ns2.dr-maxman-special.com
ns2.gullygrowly.com
ns2.gullyzulu.com
onlinehealthcare-meds.com
packground.com
permanent.cruisestrong.com
powercleanse-onlinestore.com
powerplusman.com
prestige-shoestore.com
pureacai-onlinestore.com
purport.nicecome.com
qualitystrong.com
rankine.nicejack.com
replicadiamondstore.com
superserverpro.com
thehealthcare-onlineshop.com
usa-onlinemedstore.com
www.aicgifgo.cn
www.aiivugko.cn
www.ailmwexo.cn
www.aimmjtlo.cn
www.aisgxxoo.cn
www.aiuvzhbo.cn
www.aixnyewo.cn
www.ueywhdea.cn
www.ixxyarea.cn
www.ivwtmxea.cn
www.uytrssea.cn
www.urbgoyea.cn
www.odnlmlea.cn
www.utuwaeea.cn

IP Address:
211.95.79.70
220.196.59.35
91.213.33.11
203.93.208.86

*.bvanafiz.cn
*.cvupuqal.cn
*.gkavovom.cn
*.jxaqivuy.cn
*.rpafacuj.cn
*.trazawib.cn
08075.pquqeter.cn
0c1007.twelagip.cn
4245cb.qnahatep.cn
eb9bfb.vmuculub.cn
humblenew.com
ns1.cornreal.com
ns1.coursedo.com
ns1.dependorder.com
ns1.sailcalm.com
ns1.sisterspend.com
ns2.classmover.com
ns2.strongmouth.com
ns2321.lamedelegation.ripn.net
ns3.ba43.com
ns3.cu28.com
ns3.da39.com
ns3.decidesit.com
ns3.dimplechaste.com
ns3.groundbed.com
ns3.haveover.com
ns3.hitstead.com
ns3.inventcross.com
ns3.linehumor.com
ns3.med22.org
ns3.mu77.net
ns3.northmy.com
ns3.nu23.com
ns3.replytwenty.com
ns3.skinglad.com
ns3.staymoral.com
ns3.tubeold.com
ns3.via11.net
ns3.via22.net
ns3.via99.org
ns3.worthyfound.com
ns4.advocacycoast.com
ns4.amresolution.com
ns4.majormoral.com
ns4.stoodsail.com
ns4.valuedflower.com
ns5.0g7.ru
ns5.6ph.ru
ns5.appeartry.com
ns5.coateach.com
ns5.fellcause.com
ns5.putflower.com
ns6.0ck.ru
www.csaduxil.cn
ynakefir.cn
www.wslifip.cn
www.sguxaher.cn
www.ycasoxeh.cn
www.hleyicol.cn
*.jxaqivuy.cn
08075.pquqeter.cn
www.csaduxil.cn
www.tbvbzzd.cn
www.fsusikib.cn
www.cwasixoj.cn
146ab9.gfiyawit.cn
8dc1.skujevaz.cn
cae9.lwigugup.cn
61d.vdipecaz.cn
a39f.xsiviqun.cn
05da8.kwizugip.cn
f352.fcetujuc.cn
39c631.drukilis.cn
ae44b.bhulaken.cn

IP Address: 208.69.100.160
optin.fanbox.com

IP Address: 93.113.27.101

www.activemalee.cn
admkoet.cn
eliminate-stress.cn
www.admkoet.cn

SaveArmor Rogue Antivirus



IP Address:83.233.30.66

Domains that sharing same IP address:

*.adeliouotre.com
*.kfredukilo.com
*.lderuzwe.com
*.sasihuing.com
*.securewarrior.com
*.securitysoldier.com
*.trust-cop.com
*.vrekupotre.com
*.vremukapo.com
*.vuderinopared.com
adeliouotre.com
fregukredu.com
fucheristok.com
kredurakus.com
mail.savearmor.com
mail.savekeeper.com
mail.secureveteran.com
mail.securityfighter.com
mail.securitysoldier.com
mail.softsafeness.com
mail.trustwarrior.com
ns1.savearmor.com
ns1.savekeeper.com
ns1.secureveteran.com
ns1.securewarrior.com
ns1.securityfighter.com
ns1.securitysoldier.com
ns1.softsafeness.com
ns1.trust-cop.com
ns2.adeliouotre.com
ns2.blockscan.com
ns2.bterkulas.com
ns2.cremuklip.com
ns2.ctreputilo.com
ns2.cuturanger.com
ns2.durenugser.com
ns2.fagustord.com
ns2.fregukredu.com
ns2.fukcerdas.com
ns2.gamezprumz.com
ns2.guredatizer.com
ns2.gutedscare.com
ns2.hubinkuld.com
ns2.kelmareem.com
ns2.kfredukilo.com
ns2.kiladrure.com
ns2.kredurakus.com
ns2.kregumus.com
ns2.lderuzwe.com
ns2.mitrokili.com
ns2.mlitreduk.com
ns2.mtredurak.com
ns2.nitromraz.com
ns2.nkitrupa.com
ns2.nukoperstubz.com
ns2.ofcilamed.com
ns2.operatunol.com
ns2.plitrekums.com
ns2.popkilams.com
ns2.poredutret.com
ns2.potufadcom.com
ns2.propinutrek.com
ns2.ptinusap.com
ns2.reastunolk.com
ns2.resteriot.com
ns2.sasihuing.com
ns2.sawerteemz.com
ns2.saxireward.com
ns2.sdrukap.com
ns2.selicaguru.com
ns2.vderikupa.com
ns2.vderuwerol.com
ns2.vredkutrei.com
ns2.vredupotre.com
ns2.vregukitre.com
ns2.vrekupotre.com
ns2.vremukapo.com
ns2.vretupak.com
ns2.vtrekilop.com
ns2.vtromik.com
ns2.vuderinopared.com
ns2.vxerkutpo.com
ns2.yohohamarulz.com
ns2.zrewderuk.com
pudurustur.com
saxireward.com
securewarrior.com
securityfighter.com
securitysoldier.com
softsafeness.com
vderikupa.com
vregukitre.com
vxerkutpo.com
www.savearmor.com
www.securitysoldier.com
www.softsafeness.com
www.trust-cop.com

Updated: 12-Oct-09

Monday, September 21, 2009

VirusTotal Top-10 24 Hours (22-Sep)

Reference: www.virustotal.com

Bogus Windows-Virusscan

64.86.17.29

fastscan-protection.net
go-scanandprotect.com
mail.naturallynewzealand.com
mysystemsafety.com
newscan-andprotect.com
ptotect-mysystem.com
search-out.net
softdialog.com
systemscan-secure.net
trust-systemguard.com
windows-virusscan.com


64.86.16.10

abrakadasbra.cn
bestlocatehomes.com
go-scanandsecure.com
locatedin.com
online-systemscan.com
protected-pay.com
searchscan-online.net
secure-systemguard.net
thelocatelost.com
thelocatemissing.com
tryclubcar.cn
trysmartbank.cn
windows-protectonline.com
www.timefreet.cn
www.tryclubcar.cn

Rogue Windows System Suite



64.213.140.68

go-searchandscan.net
gosearchsecurity.net
mail.foryousite.net
mail.protectedsky.info
mail.sheltercloud.info
mail.thesafeguard.info
pay1.fastantivirpro.com
pay2.prestotuneup.com
pay2.windowspcsuite.com
pay2.windowssystemsuite.com
relevantwebsearches.com
shieldcaskad.info
smart-virus-eliminator.com
update2.malwaresdestructor.com
update2.prestotuneup.com
windowsguardpro.com
windowspcdefender.com
windowsprotection-suite.net
www.fast-antivirus.com
www.foryousite.net
www.virusshield-scan.net
www.windowspcsuite.com
ybaezot.cn

64.213.140.69

*.malwarecatcher.net
ajyiqop.cn
awulyna.cn
fastsystem-guard.com
goryhe.cn
lylbaov.cn
mail.windowsprotectionsuite.com
mail.windowssystemsuite.com
malwarecatcher.net
mykeepplace.net
myprotected-system.net
pay2.malwarecatcher.net
pay2.malwaresdestructor.com
shieldsystem.net
update2.virusshieldpro.com
update2.windowsprotectionsuite.com
update2.windowssystemsuite.com
update2.winprotection-suite.com
windowsguardsuite.com
windowssystemsuite.com
winsecuritysuite-pro.com
www.malwarecatcher.net
www.prestotuneup.com
www.virussweeper-scan.net
www.windowssystemsuite.com

64.213.140.70

gotomyprotectedzone.com
ironshield.info
linesecurity.net
mail.ironshield.info
mail.protectionurl.info
mail.realurlsearch.com
mail.searchallinfo.net
mail.securityearth.info
myprotected-zone.com
pay1.prestotuneup.com
realurlsearch.com
securitysun.cn
www.antivirus09.net
www.ironshield.info
www.mainsecurity.info
www.pay-virusshield.cn
www.protectionurl.info
www.realurlsearch.com

64.213.140.71

goprotection.net
mail.myglobalsecurity.info
mail.myselfsecurity.info
mail.prowebstability.com
mail.safemanagment.com
mail.securitysun.info
mail.tommyshield.info
myglobalsecurity.info
myselfsecurity.info
prowebstability.com
safemanagment.com
virus-catcher.net
windows-virusscan.net
www.prowebstability.com
www.safemanagment.com
www.searchav.net
www.security4all.info
www.virus-catcher.net

Rogue Adware Professional 2010

Surprisingly you will noticed that rogue and bogus security solutions was certified by "McAfee Secure". Does Internet shopper will fall in the rogue activity trap just because the site protected by "McAfee Secure" ?? Does McAfee really certified this suspicious rogue website? The quality of "McAfee Secure" really need to re-consider again...what is your opinion?



What is "McAfee Secure" ?
When you display the McAfee Secure certification mark, you not only increase sales by increasing shopper confidence, you build your brand with the security seal seen on more top sites than any other.
  • Powered by the world's largest dedicated security company
  • More protection for you and your customers than any other certification available
  • Automatic listing in the McAfee Secure Sites directory
  • McAfee certifies the security of over 80,000 web sites worldwide


67.211.161.43
adware-2009.com
adware-2009.org
www.adware-2009.com

67.211.161.44
spy-destroyer.com

67.211.161.45
spyware-mechanic.com

67.211.161.46
noadware-pro.com
www.noadware-pro.com

67.211.161.47
registryfix-pro.com

67.211.161.48
winclear-pro.com

67.211.161.49
adware-2010.com
adware2010.com
www.adware-2010.com

Saturday, September 19, 2009

Spam ** 20 Sep

Suspicious IP Address: 8.15.231.97

Domains sharing same IP address:

4gmcarparts.com
79th.com
87551-app6.topwebsites.com
africaoil.com
athletedirect.com
automatedattendant.com
babysupplies.com
bakkarat.com
bankruptcylitigation.com
bannergraphics.com
baybears.com
befamousonline.com
bermudainsurance.com
birthdaycardsfree.com
buildequity.com
cerealcoupon.com
chickenalfredo.com
childrensbooksonline.com
cityofcarmelvalley.com
clearlaketx.com
clubhorror.com
competitivequotes.com
computerphone.com
confidentialreports.com
copydvd.com
corporaterates.com
countrywidevacation.com
countrywidevacations.com
creditassociates.com
cubiczirconiajewelry.com
damespiel.com
db4.metrocenter.com
dedicated-servers.uk.com
digestivetract.com
dolls.com
downloadvideogames.com
ehealthappeals.com
emergencybackup.com
engstrom.se.com
exoticadventure.com
factoryshowroom.com
fingerpainting.com
fingerprintsecurity.com
floridaseaplanes.com
fourthdown.com
golfing-guides.com
greenenterprises.com
greenportal.com
hamsalad.com
heatingair.com
hodhasharon.com
horseracingtournament.com
interracialdatingservices.com
iowahawkeye.com
ipomedia.com
jaialaitournament.com
jericho.com
jewelryconventions.com
jugetes.com
lemonsquares.com
ltcadvisors.com
lyris.metrocenter.com
mail.dedicated-servers.uk.com
mdadvisor.com
michiganzipcodes.com
mileageawards.com
mobster.com
moneyloans.com
monsterdogs.com
mtbs.eu.com
nosebleeding.com
nutrition.com
oryehuda.com
outofafrica.com
oysterstew.com
packingservices.com
paidinternship.com
paintballtournament.com
pallabase.com
pallovale.com
pariant.com
pcsoftwareinventory.com
pineapplecake.com
ppp45.parser.es
premiumhotels.com
premiumsales.com
preownedcoaches.com
quickprofits.com
reducewrinkles.com
rentalsavailable.com
rounderstournament.com
rvandboatsale.com
rvspecials.com
scottsdaleaviation.com
secretlyexposed.com
session.auctions.com
smokingsupport.com
softwareratings.com
solarkit.com
strategicplanners.com
sureloans.com
theatre.net
tilefloors.com
usedcarbuyers.com
vanrebates.com
vcinvestors.com
vegasaccomodation.com
volunteertrip.com
volunteertrips.com
warehousecondo.com
webdevelopmentsoftware.com
whatever.com
wizardtattoos.com
wolftattoos.com
woodcabinets.com
workingpapers.com
workplacesecurity.com
x-raysources.com
xmasparties.com
zemirot.com
zirconiajewelry.com

VirusTotal Top-10 24 Hours (20-Sep)

Reference: www.virustotal.com

Bogus, Rogue Advance Virus Remover


92.241.177.207

1-vscodec-pro.com
10-open-davinci.com
advanced-virus-remover-2009.com
advanced-virus-remover2009.com
advanced-virusremover2009.com
advancedvirus-remover-2009.com
antivirus-2009-ppro.com
antivirus-scan-2009.com
best-scanpc.com
bestscanpc.com
bestscanpc.info
bestscanpc.net
blue-xxx-tube.com
downloadavr2.com
downloadavr3.com
downloadavr4.com
ns1.megahostname.biz
ns2.megahostname.biz
onlinescanxppro.com
testavrdown.com
trucountme.com
vscodec-pro.com
www.advanced-virus-remover-2009.com
www.advanced-virus-remover2009.com
www.advanced-virusremover2009.com
www.antivirus-scan-2009.com
www.bestscanpc.biz
www.bestscanpc.info
www.bestscanpc.net
www.vscodec-pro.com

64.86.17.37

fast-searchprotection.com
new-systemprotection.com
search-systemshield.com
trustsystem-guard.net
trustsystem-protection.com


89.248.174.61

businesslikesurf.com
delete-all-virus05.com
nationaltreasure.cn
suresurfpro.com
win-protection1.com

64.86.16.117

scanonline-protect.com
system-guard.net

64.86.16.118

fastscan-secure.net
my-protectionzone.com
new-systemguard.com
windows-systemguard.com

64.86.16.119

online-scanandsecure.net
fastscansecure.com

88.198.81.153

005threats-scanner.com
005yourprivatescanner.com
09riskscanner.com
6cleanspyware.com
6malwarescan.com
advancedvirscanner3.com
antivirus-scannerv17.com
antivirusquickscan2.com
best-security-scanv8.com
best-spyware-scan01.com
bestantispywarescanv4.com
bestantivirusscanv8.com
live-antivirus-scan03.com
professionalspywarescanv8.com
professionalvirusscanv3.com
reliable-scanner06.com
static.88-198-81-153.clients.your-server.de
superb-virus-scan03.com

78.46.251.41

005threats-scanner.com
005yourprivatescanner.com
09riskscanner.com
6cleanspyware.com
6malwarescan.com
antivirusscannerv9.com
firstspywarescannerv1.com
live-antivirus-scan03.com
onlineantispywarescanv6.com
personalfolderscanv2.com
personalonlinescanv3.com
private-antivirus-scannerv2.com
securefolderscannerv6.com
totalsecurityscannerv3.com

78.46.251.43

advancedpcscanner3.com
static.43.251.46.78.clients.your-server.de

MalwareHelp - Find And Remove Zeus Banking Trojan


According to Trusteer a security company, “Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US)…Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.”

The report further states that on a sample size of 10000 machines, ” installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23%.”

Details study can be obtained from Zues_and_Antivirus(PDF)

Image: Trusterr

Friday, September 18, 2009

Secure Electronic Payment System leads Rogue Antivirus Protection

A secure payment system is a system used to settle financial transactions in Automated teller machine networks, Stored-value card networks, bond markets, currency markets, and futures, derivatives, or options markets, or to transfer funds between financial institutions. Due to the backing of modern fiat currencies with government bonds, payment systems are a core part of modern monetary systems.

However, malware author is manipulating or entice users to purchase rogue Anvitirus when visiting on suspicious Secure Electronic Payment Systems( SEPS).

Below is the example malicious links that leads user to Rogue Antivirus.

secure-electronic-payment-system.mogzixv.cc (93.170.225.54)

and

secure-electronic-payment-system.rfowqofjr.cc (93.170.217.116)

**************************************

IP Address: 64.86.16.5

guardsearch.net
onlinescansystem.com
quintetsperandeiensemble.com
searchsafetyprotection.net
www.street-level.net

nameservers
ns1.guardsearch.net
ns2.guardsearch.net

************************************
IP Address: 64.213.140.70

gotomyprotectedzone.com
linesecurity.net
mail.protectionurl.info
mail.realurlsearch.com
mail.searchallinfo.net
mail.securityearth.info
myprotected-zone.com
pay1.prestotuneup.com
realurlsearch.com
securitysun.cn
onlinesearch-protect.net
www.ironshield.info
www.mainsecurity.info
www.pay-virusshield.cn
www.protectionurl.info
www.realurlsearch.com

nameserver:
ns1.onlinesearch-protect.net
ns2.onlinesearch-protect.net

PC Antispyware 2010 -Rogue Antivirus


209.31.180.230
pcantispyware-2010.com
www.pcantispyware-2010.com

209.31.180.231
pc-antispyware-2010.com

209.31.180.232
mail.pc-anti-spyware2010.com
ns3.pc-anti-spyware2010.com
pc-anti-spyware2010.com
www.pc-anti-spyware2010.com

209.31.180.233
mail.pc-antispy2010.com
ns3.pc-antispy2010.com
pc-antispy2010.com
www.pc-antispy2010.com

209.31.180.234
mail.p-c-anti-spyware-2010.com
p-c-anti-spyware-2010.com

209.31.180.235
mail.pc-anti-spyware-2010.com
pc-anti-spyware-2010.com
www.pc-anti-spyware-2010.com

209.31.180.236
pcanti-spyware-2010.com

209.31.180.237
ns3.pcantispyware20-10.com
pcantispyware20-10.com
www.pcantispyware20-10.com

209.31.180.238
pc-antispyware20-10.com

209.31.180.239
mail.pcantispyware-20-10.com
ns3.pcantispyware-20-10.com
pcantispyware-20-10.com

209.31.180.240
mail.pc-antispyware-20-10.com
ns3.pc-antispyware-20-10.com
pc-antispyware-20-10.com
www.pc-antispyware-20-10.com


*Please donate to support hosting fees.

Thursday, September 17, 2009

Extend Your Battery Life with Right Browser..

Reference: lifehacker



It's tough to get things done on your laptop when your battery's gone dead. We previously showed you 15 ways to score more battery juice, but as it turns out, using the right browser can also help.

Tech analysis web site AnandTech ran a "browser face-off" to see which browser, among those tested, fared better in the battery preservation department. Specifically, they continually loaded three web sites (AnandTech and two unnamed sites) on three laptops (a Gateway NV52 and NV58, and an ASUS Eee PC 1005HA), testing each computer's battery life using Safari (version 4.0.3), Chrome (version 2.0.172.43), Firefox (version 3.5.2), Internet Explorer (version 8.0.6001.18813), and Opera (versions 9.6.4 and 10 Beta 3) browsers.

The results? The inevitable margin of error (e.g., network issues, notebook brands, and so on) aside, their tests showed that in some cases, there was a 30% difference between the worst browser, Safari, and the best one, (um) Internet Explorer 8. In fact, IE8 even beat out Firefox with AdBlock installed.

This battery test isn't the ultimate measure of a browser, but if you're really desperate to get the most from your laptop battery, it offers some interesting insights. (For our part, we can't imagine using IE8 just for the battery boost.) If you want to see how the various browsers match up on more substantive tests, check out our most recent browser performance tests.

Browse the full post for all the relevant details. If you're looking for more ways to extend your battery life, check out previously mentioned system monitoring software BatteryCare for more detailed battery information and one-click battery savers

Microsoft released MS09-047 updated patch

Microsoft released latest updated patch for fix the vulnerability in Windows Media Format that could allow remote code execution. (MS09-047)

Infected softwares include Windows Media Format Runtime, Windows Media Services, and Media Foundation.

Windows Server 2008 R2 Itanium-based system, and Windows Server 2008 R2 (x64) and Windows 7 (x86 and x64) based system are not affected.

Details can be obtained from Microsoft Security Bulletin.

Wednesday, September 16, 2009

Spam Speculating Patrick Swayze's Death

Patrick Swayze has been dead for few days already, there still have lots of news regarding his death. The death of Patrick Swayze related was seen bearing with subject "Patrick Swayze" in Google Search.

No suprised that cybercriminal taking advantage of sad death and earns dollars from fake anti-virus software. Be common sense to secure your networks and advice to use Firefox browser with NoScript module (tight security setting) will reduce the risks. :)



Clicking on the suspicious link will leads to website, where prompt up message ask for installing Rouge Antivirus. Luckily I am not fall to this trick since I am using Linux systems. :)

The downloaded file called "setup_build7_201.exe" was sent to VT, which have very low detection rate (1/41) or (2.44%). The VT result can be get from here.




***********************************
IP Address: 64.86.17.25

go-scanandsearch.com
new-systemguard.net
scan-virus.net
system-shield.net
safety-systemguard.com


nameserver:
ns1.safety-systemguard.com
ns2.safety-systemguard.com

***********************************
IP Address: 64.86.16.118

new-systemguard.com
windows-systemguard.com
my-protectionzone.com


nameserver:
ns1.my-protectionzone.com
ns2.my-protectionzone.com

**********************************

IP Address: 64.86.16.49

guardsearch.com
mysecuredsystem.net
newscan-protect.com
ns2.sabroski.com
ptotectmy-system.com
protect-andsecure.net
windowsprotection-zone.net

nameserver:
ns1.protect-andsecure.net
ns2.protect-andsecure.net

********************************

IP Address: 64.86.16.9

fastscan-protection.com
myonlineguard.com
myprotection-zone.net
scan-secure.com
search-win.com
searchscan-online.com
trackerdiscount.com
windows-systemguard.net
www.yourlocatorusa.com
yourlocatorusa.com

nameserver:
ns1.searchscan-online.com
ns2.searchscan-online.com

*********************************

IP Address: 64.86.16.11

findslocate.com
gosearchguard.net
ipaguide.com
itgosearch.net
landlocatorusa.com
mail.ispsagent.com
ns1.alleips.com
ns1.bestratebid.net
ns1.ispsagent.com
ns2.bestratebid.net
ns2.isps05.com
ns2.ispsagent.com
ns2.rvlocatorusa.com
online-systemscan.net
qualitaetips.com
scansystem-online.net
search-scansystem.com
www.ipaguide.com
www.landlocatorusa.com

nameserver:
ns1.online-systemscan.net
ns2.online-systemscan.net

*********************************

IP Address: 94.102.48.29

adeptofmastery.cn
antivirusscannerv9.com
best-live-lottery.cn
best-live-virus-scanner7.com
bestpersonalprotectionv7.com
beststarwars.cn
bulkdvdreader.cn
fastvirusscanv6.com
firstspywarescannerv1.com
govirusscanner.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
personalfolderscanv2.com
personalonlinescanv3.com
private-antivirus-scannerv2.com
secure-antispyware-scanv3.com
securefolderscannerv6.com
securityfolderprotection.com
sex-and-the-city.cn
sitemechanics.cn
space2009city.cn
spyware-scannerv2.com
totalsecurityscannerv3.com
willsmithinc.cn

nameserver:
ns1.freedns.ws
ns2.freedns.ws
ns3.freedns.ws
ns4.freedns.ws

*********************************
Potential malicious domains:

cerutti19.com
displayclub.net
go-scanandsearch.com
go-searchandscan.net
goprotection.net
gotomyprotectedzone.com
mysearchinweb.com
new-systemshield.com
onlinesearch-protection.com
paymentsecurity.net
protectionfield.net
ptotectmy-system.com
scan-virus.net
search-systemshield.com
searchdefender.net
searchsafetyprotection.net
2009elf.com
antivirusfilter-zone.com
bostofsten1.net
galz177.net
lineyou.com
myprotected-system.net
myprotected-zone.com
mysecuredsystem.net
new-systemguard.net
omegaantivir.com
publicpub.net
search-out.net
searchesnet.com
searchsecureguard.com
windowsprotection-suite.com
windowsprotection-suite.net
windowsprotection-zone.net
winprotectionsuite.com
0lenfo.com
go-searchandscan.com
goscan-protect.com
greensice.net
linewebsearch.com
mynewprotection.net
online-scanandsecure.net
onlinesearch-protection.com
protect-andsecure.com
search-scansystem.com
secure-systemguard.net
stratosmusic.com
system-guard.net
systemguard-zone.com
systemguard-zone.net
systemscan-secure.net
windows-systemguard.net
1ingeen.com
4everwe.net
applic137.net
go-scanandprotect.com
gosearch-protection.com
limestee.com
new-systemguard.com
publicpub.net
realsystemguard.com
scan-secure.net
scanandprotect-zone.com
searchsafetyprotection.net
system-shield.net
windows-systemguard.net
winprotection-suite.net



--X0end

WebSense Security Lab Q1-Q1 2009 Report

Today, Websense released its biannual “State of the Internet” report, a deep dive into the most significant threats on the Internet during the first half of 2009.

Today, most threats to information security are leading to the Web -- either using the Internet as the attack vector, or simply the route through which stolen, confidential data is transmitted. Key findings from the Websense report include:

Websense Security Labs identified a 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth over the last year.

* In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
* Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
* The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
* Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
* The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
* The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
* In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

You may find the full report and a video summary of the findings at: http://www.websense.com/threatreport

Virustotal Top-10 24 hours (16-Sep)

Reference: www.virustotal.com


Tuesday, September 15, 2009

Spam ** 15-Sep

IP Address: 91.213.33.32
Domains: www.phikilon.cn

IP Address: 77.74.120.6
Domains: www.who-remembers-me.com


IP Address:
91.213.33.11
203.93.208.86
211.95.79.70
220.196.59.35

Domains:
f04.htujaroy.cn
ed6b.dcesecix.cn
673.yqomaliy.cn
0d3.bvuwepul.cn
*.blepetet.cn
*.bvanafiz.cn
*.cmuviraz.cn
*.cvupuqal.cn
*.gkavovom.cn
*.rpafacuj.cn
*.trazawib.cn
0c1007.twelagip.cn
4245cb.qnahatep.cn
9d1.cmuviraz.cn
cmuviraz.cn
eb9bfb.vmuculub.cn
ns1.cornreal.com
ns1.dependorder.com
ns1.sailcalm.com
ns1.sisterspend.com
ns2.classmover.com
ns2.strongmouth.com
ns3.ba43.com
ns3.cu28.com
ns3.da39.com
ns3.dimplechaste.com
ns3.groundbed.com
ns3.hitstead.com
ns3.med22.org
ns3.mu77.net
ns3.replytwenty.com
ns3.via11.net
ns3.via22.net
ns3.via99.org
ns3.wrotehumor.ru
ns4.majormoral.com
ns4.valuedflower.com
ns5.appeartry.com
ns5.coateach.com
ns5.fellcause.com
ns5.putflower.com
ns6.0ck.ru
ynakefir.cn


IP Address: 61.61.61.61

Domains sharing same IP address:

lishizhen.net
ns0.adesuikintandefunhandesun.com
ns0.bcrqhro.com
ns0.cnogaira.com
ns0.fyukbz.com
ns0.greattens.com
ns0.kerunhandgunfandesikuntun.com
ns0.lutrwpghd.com
ns0.myhasic.com
ns0.onthetens.com
ns0.orstensguide.com
ns0.rehogonro.com
ns0.scliza.com
ns0.sjrbofa.com
ns0.uthvfybz.com
ns0.vqwgds.com
ns0.wkakekod.com
ns1.52352a0c60a9c29.com
ns1.6309a46.com
ns1.6666ad.com
ns1.adns2008.com
ns1.b546ec5a89.com
ns1.bestairusa.com
ns1.betotallyclear.com
ns1.callcityusa.com
ns1.chongdns99.com
ns1.devinavy.com
ns1.docdns2008.com
ns1.exacthill.com
ns1.fatiloquent.com
ns1.fuscadns.com
ns1.hersns.com
ns1.holdsurface.com
ns1.img111dns.com
ns1.kozel-soft.com
ns1.krdns555.com
ns1.liabilityzul.com
ns1.metdns101.com
ns1.metdns99.com
ns1.mgrsu.com
ns1.mycandydns.com
ns1.mysweetydns.com
ns1.mywowdns.com
ns1.ns-martian.com
ns1.online-flowers-store.com
ns1.penunmaimed.com
ns1.poertodas.com
ns1.rokodns2008.com
ns1.secservers1.com
ns1.sevadl.com
ns1.stardecagon.com
ns1.stookvol.com
ns1.worldawins.com
ns1.zzkeokq.com
ns2.52352a0c60a9c29.com
ns2.6309a46.com
ns2.adns2008.com
ns2.b546ec5a89.com
ns2.bestairusa.com
ns2.callcityusa.com
ns2.chongdns102.com
ns2.chongdns99.com
ns2.docdns2008.com
ns2.exacthill.com
ns2.fatiloquent.com
ns2.fuscadns.com
ns2.hersns.com
ns2.holdsurface.com
ns2.img111dns.com
ns2.jaeb6mee.com
ns2.kaihooho.com
ns2.kninuti.com
ns2.kozel-soft.com
ns2.krdns555.com
ns2.metdns101.com
ns2.metdns2008.com
ns2.mgrsu.com
ns2.mycandydns.com
ns2.mysweetydns.com
ns2.mywowdns.com
ns2.ns-martian.com
ns2.online-flowers-store.com
ns2.palmyxer.com
ns2.piradns.com
ns2.rokodns2008.com
ns2.secservers1.com
ns2.sevadl.com
ns2.sobaka-soft.com
ns2.stookvol.com
ns2.tantrarure.com
ns2.worldawins.com
ns2.zzkeokq.com
ns3.52352a0c60a9c29.com
ns3.6309a46.com
ns3.b546ec5a89.com
ns3.hersns.com
ns3.metdns101.com
ns3.metdns2008.com
ns3.metdns99.com
ns3.mgrsu.com
ns3.mycandydns.com
ns3.mysweetydns.com
ns3.secservers1.com
ns4.52352a0c60a9c29.com
ns4.b546ec5a89.com
ns4.hersns.com
ns4.kninuti.com
ns4.metdns101.com
ns4.metdns2008.com
ns4.metdns99.com
ns4.mgrsu.com
ns4.mysweetydns.com
ns4.secservers1.com
ns5.b546ec5a89.com
ns5.mycandydns.com
ns5.mysweetydns.com
ns5.mywowdns.com
ns6.mysweetydns.com
ns6.mywowdns.com
ns7.mywowdns.com
zkidc.com


IP Address: 64.86.16.28

Domains using as nameserver:

7avsearch.net
fansearching.net
mainsecsys.info
myavchecker.net
myglobalsecurity.info
myofficeguard.info
myselfsecurity.info
nc-cash.net
paymentvirusmelt.cn
protectionurl.info
protectonline.info
ptufast.net
realurlsearch.com
safe-pay-vault.com
windowspcdefender.com
windowssecuritysuite.com
windowssystemsuite.com
windowsultimate-guard.com

nameserver in same IP address: 64.86.16.28

ns1.guardinfo.net
ns2.7avsearch.net
ns2.7security.info
ns2.fansearching.net
ns2.mainsecsys.info
ns2.myavchecker.net
ns2.myglobalsecurity.info
ns2.myofficeguard.info
ns2.myselfsecurity.info
ns2.nc-cash.net
ns2.paymentvirusmelt.cn
ns2.protectionurl.info
ns2.protectonline.info
ns2.ptufast.net
ns2.realurlsearch.com
ns2.safe-pay-vault.com
ns2.search-gala.com
ns2.securitysun.info
ns2.sheltercloud.info
ns2.systemprotectinc.info
ns2.systemsec.info
ns2.virusalarm-scanvirus.net
ns2.virusshield-scanvirus.net
ns2.windowspcdefender.com
ns2.windowssecuritysuite-pro.com
ns2.windowssecuritysuite.com
ns2.windowssystemsuite.com
ns2.windowsultimate-guard.com


Potential spam domains without IP Addres:

http://antiage-wonder.com
http://www.grow-penis.cn
http://www.biggerplus.cn

Multiple Smartphones MMS Notification Sender Obfuscation


[Securitry Advisory] Multiple Smartphones MMS Notification Sender Obfuscation


Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Advisory Homepage: http://www.silentservices.de/adv04-2009.html
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009

Description:

A MMS Notification is part of the MMS communication flow. Usually an originator sends and
mms via a service provider (SP). After uploading the message to the SP, the recipient gets a
MMS notification from the SP with information like originator, subject and URL of the content.
In some mobile carrier networks it is allowed to send MMS notifications directly from one mobile
unit to another.

Some Smartphones fail to properly display the originator of this kind of message which leads
to a sender obfuscation.

Impact:

This attack can be used in combination with social engineering to mislead the recipient to
access the resource specified in the content URL of the MMS notification message. If the
receiving device MMS client is configured improperly this could lead to automatically download
whatever content is specified in the content URL. MMS clients which do not allow access to
content URLs other that the providers MMS proxy should be safe from the content, but are still
vulnerable to the sender obfuscation.

In addition this attack can be used to send spam and hate SMS.

Monday, September 14, 2009

Spam #2 ** 14-Sep

IP Address: 212.117.166.69

Domains sharing same IP address:

harlingens.com
tradenton.com


IP Address: 94.102.48.29

Domains sharing same IP address:

adeptofmastery.cn
antivirusscannerv9.com
best-live-lottery.cn
best-live-virus-scanner7.com
bestpersonalprotectionv7.com
beststarwars.cn
bulkdvdreader.cn
fastvirusscanv6.com
firstspywarescannerv1.com
govirusscanner.com
iwanttowin.cn
liveantimalwarescannerv3.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
personalfolderscanv2.com
personalonlinescanv3.com
private-antivirus-scannerv2.com
secure-antispyware-scanv3.com
securefolderscannerv6.com
securityfolderprotection.com
sex-and-the-city.cn
sitemechanics.cn
space2009city.cn
spyware-scannerv2.com
spywarescannerv4.com
totalsecurityscannerv3.com
willsmithinc.cn


IP Address: 88.198.107.25

Domains sharing same IP address:

antispywarescanner07.com
best-spyware-scan09.com
protection-check07.com
static.88-198-107-25.clients.your-server.de

Spam ** 14-Sep

IP Address: 91.213.29.250

Domains sharing same IP address:

golary.cn
gombely.cn
gopawu.cn
gopiby.cn
goqfap.cn
gortuwe.cn
gotceyr.cn
gotuqjy.cn
govaqip.cn
gowyti.cn
goxweyc.cn
gubcyil.cn
gubywef.cn
gudxyv.cn
gugema.cn
gugkyaf.cn
gujdywa.cn
gurqyak.cn
gutciko.cn
guxryac.cn
gybukop.cn
gybwuv.cn
hagnuor.cn
haronpi.cn
idyzok.cn
ifypeod.cn
igayzde.cn
igivor.cn
igouhxe.cn
iguyzmo.cn
ihaegup.cn
ihagoin.cn
ihogedi.cn
ihuqoyr.cn
ijakony.cn
ijepiyq.cn
ijobuaw.cn
ikoiwe.cn
ikuaxge.cn
ikylami.cn
ileufby.cn
iloefe.cn
iluefot.cn
imyadoc.cn
mail.golary.cn
mail.gombely.cn
mail.gopawu.cn
mail.goqfap.cn
mail.gortuwe.cn
mail.gotceyr.cn
mail.gotuqjy.cn
mail.govaqip.cn
mail.goxweyc.cn
mail.gubcyil.cn
mail.gugema.cn
mail.gujdywa.cn
mail.gurqyak.cn
mail.gutciko.cn
mail.guxryac.cn
mail.gybukop.cn
mail.gybwuv.cn
mail.hagnuor.cn
mail.idyise.cn
mail.idyzok.cn
mail.ifypeod.cn
mail.igivor.cn
mail.igouhxe.cn
mail.ihagoin.cn
mail.ijepiyq.cn
mail.ijobuaw.cn
mail.ikoiwe.cn
mail.ikuaxge.cn
mail.ikylami.cn
mail.ileufby.cn
mail.iloefe.cn
mail.iluefot.cn
mail.imyadoc.cn
mail.ipemuw.cn
mail.ns-free-acc7.com
ns-free-acc7.com
ns1.ns-free-acc7.com
ns2.ns-free-acc7.com
www.goqfap.cn
www.gortuwe.cn
www.gotceyr.cn
www.gotuqjy.cn
www.govaqip.cn
www.gowyti.cn
www.gotceyr.cn
www.goxweyc.cn
www.gubcyil.cn
www.gugema.cn
www.gybwuv.cn
www.hagnuor.cn
www.idoafy.cn
www.igouhxe.cn
www.ihogedi.cn
www.ijuoxe.cn
www.iloefe.cn
www.idunef.cn



IP Address: 195.95.151.174

Domains sharing same IP address:

acajelu.cn
adayby.cn
adiuqga.cn
ajyawif.cn
akoetly.cn
anoemyx.cn
apauzy.cn
atioqe.cn
atiguko.cn
ativoma.cn
atoacu.cn
atoceuk.cn
atoylev.cn
atuican.cn
atuyfe.cn
atyorzi.cn
avayhik.cn
avemyk.cn
aveyco.cn
aveylpa.cn
avotyab.cn
avyewi.cn
avygip.cn
avyodu.cn
avyofzu.cn
avyxaze.cn
awakuvi.cn
awaokfy.cn
awaviyh.cn
awetudo.cn
awohebu.cn
bestcover2u.cn
bestprotectiononline.cn
bigdefense2u.cn
bomkyvi.cn
exuvage.cn
ezeunac.cn
ezoagu.cn
ferojaw.cn
fevopru.cn
fexonhu.cn
finwuyc.cn
fixguat.cn
fobrim.cn
focunqa.cn
fogpak.cn
fomazej.cn
fombual.cn
foszecy.cn
fotkum.cn
gebomuk.cn
gihugyx.cn
gojaxty.cn
mail.adayby.cn
mail.adiuqga.cn
mail.ajyawif.cn
mail.akoetly.cn
mail.anoemyx.cn
mail.apauzy.cn
mail.ativoma.cn
mail.atoacu.cn
mail.atoylev.cn
mail.atuican.cn
mail.atuyfe.cn
mail.atyorzi.cn
mail.avemyk.cn
mail.aveyco.cn
mail.aveylpa.cn
mail.avyodu.cn
mail.avyofzu.cn
mail.avyxaze.cn
mail.awakuvi.cn
mail.awaokfy.cn
mail.awaviyh.cn
mail.awetudo.cn
mail.awohebu.cn
mail.bestcover2u.cn
mail.exuvage.cn
mail.ezeunac.cn
mail.ezoagu.cn
mail.fexonhu.cn
mail.finwuyc.cn
mail.focunqa.cn
mail.fogpak.cn
mail.foszecy.cn
mail.fotkum.cn
mail.gebomuk.cn
mail.gihugyx.cn
mail.gojaxty.cn
mail.yourfriskinfection.cn
ns1.pubilcnameserver7.com
ns2.pubilcnameserver7.com
pubilcnameserver7.com
www.ajyawif.cn
www.akoetly.cn
www.atiguko.cn
www.atoacu.cn
www.atoceuk.cn
www.atofaf.cn
www.atoylev.cn
www.atuican.cn
www.atuyfe.cn
www.atyorzi.cn
www.avayhik.cn
www.avemyk.cn
www.aveyco.cn
www.aveylpa.cn
www.avotyab.cn
www.awaokfy.cn
www.exuvage.cn
www.ezeunac.cn
www.ezoagu.cn
www.fevopru.cn
www.fexonhu.cn
www.fimcuoj.cn
www.finwuyc.cn
www.fisruba.cn
www.fixguat.cn
www.fomazej.cn
www.gebomuk.cn
www.gihugyx.cn
www.gojaxty.cn
mydefense4you.cn
yourfriskinfection.cn
yourguardonline.cn


IP Address: 94.198.51.140

Domains sharing same IP address:

mail.windowsliveupdate.cn
windowsliveupdate.cn
www.windowsliveupdate.cn
windowsliveupdate.cn

Malware ads on NYTimes.com

Reference: http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com

Anatomy of a Malware Ad on NYTimes.com

On Saturday evening, Avast displayed a malware warning as I loaded a nytimes.com article. After some digging, here’s the malware I found.

Ad Delivery


nytimes.com article pages include an ad placement with the HTML DOM ID adxBigAd. From loading a few articles, they seems to rotate between a banner and an iframe.

On this article, a 300×250 iframe was inlining this URL: tradenton.com slash ?id=21610438

(note: I don’t recommend visiting it, and have URLs are not linked where possible)

A comment gave the campaign ID asVonage01_1163613_nyt12, though it was obviously unrelated to Vonage. tradenton.com was registered Sept. 2, 2009, so it may have had a previous owner.

Injection


tradenton.com serves a 15-line HTML snipped containing this JavaScript:


As anyone who has looked at phishing links knows, this is nasty on a couple levels. It’s eval()’ing escaped code, which is almost never needed to serve an ad. Note that the variable action_URL is defined but never used. After unescaping the code, this is what’s being run:

What’s served by harlingens.com slash includes02.js? Aha! The eval’ed JavaScript is requesting a second Javascript, which hits action_URL:

Malware


Now we’re talking. Requesting that action_URL on sex-and-the-city.cn actually serves a HTTP 302 Redirect to protection-check07.com slash 1/?sess=%3DGQx3jzwMi02MyZpcD0yMDguNzUuNTcuMTIxJnRpbWU9MTI1NjgwMI0MaQ%3DN. And we hit pay dirt. It’s a fake page for a non-existent antivirus app, which is actually malware. Titled “My computer Online Scan“, this page displays this JS alert:

Rogue, Bogus Antivirus Spam ** 14-Sep

IP Address: 206.53.61.72

Domains sharing same IP Address:

mail.gurusecurity.com
mail.windowssecuritysuite-pro.com
pay1.virusshieldpro.com
paymentvirusmelt.cn
update1.malwarecatcher.net
update1.windowspcsuite.com
update1.windowssecuritysuite.com
windowssecuritysuite-pro.com


IP Address: 64.86.16.127


Domains sharing same IP Address:

7-isearch.net
7avsearch.net
comewithus.cn
fansearching.net
mainsecurity.info
myofficeguard.info
prestotuneup.com
protect-online.info
protectionurl.info
prowebstability.com
searchallinfo.net
shieldcaskad.info
urlsearchsite.com
virushooker.com
virusmelt.com
virussweeper-scan.net
virussweeper-scanvirus.com
vmeltonline.com
windowsultimate-guard.com


IP Address: 64.86.16.28

Domains using same IP Address:

ns1.guardinfo.net
ns2.7avsearch.net
ns2.7security.info
ns2.fansearching.net
ns2.mainsecsys.info
ns2.myglobalsecurity.info
ns2.myofficeguard.info
ns2.myselfsecurity.info
ns2.nc-cash.net
ns2.paymentvirusmelt.cn
ns2.protectionurl.info
ns2.protectonline.info
ns2.ptufast.net
ns2.realurlsearch.com
ns2.safe-pay-vault.com
ns2.search-gala.com
ns2.securitysun.info
ns2.sheltercloud.info
ns2.systemprotectinc.info
ns2.systemsec.info
ns2.virusalarm-scanvirus.net
ns2.virusshield-scanvirus.net
ns2.windowspcdefender.com
ns2.windowssecuritysuite-pro.com
ns2.windowssecuritysuite.com
ns2.windowssystemsuite.com
ns2.windowsultimate-guard.com

Sunday, September 13, 2009

http://menarakl.com.my hacked by Brainwash

Hi, one of my reader sent email to mention that one of his country website menarakl.com.my was defaced by hacker claimed as "Brainwash". This incident happened on last few days, however the defaced main page still exist. "Brainwash" is not something new, this hacker have experienced on few education websites.

Thursday, September 10, 2009

7 Reasons Websites Are No Longer Safe

Reference: 7 Reasons Websites Are No Longer Safe

Reason 1: Polluted Ads
Reason 2: SQL Injection attacks
Reason 3: User-provided content
Reason 4: Stolen site credentials
Reason 5: Compromised hosting service
Reason 6: Local malware
Reason 7: Hacker engineered fakes


Many of the sites you visit regularly and think are secure are laden with data-stealing malware. Here are seven reasons why, and advice on how to protect your systems.
by Bill Brenner, Senior Editor, CSO
September 09, 2009

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages -- one every 3.6 seconds -- were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

Continue............

HSBC Phishing website become Porn Site ** 10-Sep

HSBC Phishing domains with adult contains:

8dc0b.9hz.com
9hz.com
activatewebmail64789.9hz.com
directgov-co-uk.9hz.com
hmrc-gov-uk.9hz.com
hsbconline.9hz.com
hsbcprivatebanking.9hz.com
idx.9hz.com
standardbankza.9hz.com
tepp.9hz.com
unicreditbanca.9hz.com
www.9hz.com
www.carwalls.com
www.desktopmachine.com
www.hsbconline.9hz.com
yorkshirebanksecureregisteration.9hz.com
yorkshirebanksecureregisteration128ssl.9hz.com

Against PDF Exploit using /ASCII85Decode /FlateDecode

Common malicious PDF (Portable Document Formate) file that crafted with malicious JavaScript can be encrypts or obfuscated using /FlateDecode filter to hide from normal analysis. However, from recently discoveries, evolution for encrypt method malicious codes become more complex with combination /FlateDecode and /ASCII85Decode in malicious PDF .

The ASCII85Decode filter look like following way

<< /Length 5982 /Filter [/ASCII85Decode /FlateDecode] >>
stream
Gb"/+99SDH%D7Q/TEY@k_Vp\<]U4Zh0FON1!g"N*;Qm*44Pob*U:Nun&r8b-anMFbIfJ0;J,emXs%Mss ;SK>ZLF\)Xr/Oj9p%`l^Vs")f>]HS&s7s5!r&rsc5Q>ZJha?K)a728>d=(9Tqt%9:T"i[Z`YE"Dch"a]


To decrypt ASCII85Decode code, I am using "pdf-parsey.py" python script that contributed from Didier Steven. Latest "pdf-parsey.py"support ASCII85Decode filter and ASCIIHexDecode.




Besides that, Malzilla hunting tool's Javascript Decode function used to de-obfuscate JavaScript that extracted from "pdf-parsey.py".





This crafted malicious PDF file contains combination from several Adobe Acrobat/Reader vulnerabilities and depend of version for Adobe.

-Adobe Collab overflow
-Adobe util.printf overflow
-Adobe getIcon



The shell code inside the PDF file will download three malware from Internet after decode using UCS2 decoder. However, those three files can't be downloaded due to Error 404.

http://geroyvoin.cn/1/cfhnps3.exe
http://geroyvoin.cn/1/ortx3.exe
http://geroyvoin.cn/1/dqy3.exe







This malicious PDF (md5= e9a51c87186fe86ffe411d9c64c565a7) was submitted to Virustotal with only get minor detection from different security vendors (7/41 = 17.07%).




geroyvoin.cn IP Address: 213.163.84.28

Domains sharing same IP Address:
ake.kz
amr.kz
bmt.tw
crd.tw
dmr.tw
esli.tw
freednsman.com
jkk.tw
molo.tw
ocd.kz
orep.tw
rmi.tw
rnw.kz
sockslab.net
sovi.tw
trafficshop.tw
trustedtrf.info
www.bmt.tw
www.crd.tw
www.esli.tw
www.jkk.tw
www.molo.tw
www.nikodomain.info
www.orep.tw
www.rmi.tw
www.rnw.kz
www.trafficshop.tw
xbl.kz

--X0ends

Wednesday, September 9, 2009

Rogue Antivirus ** 9 Sep

IP Address: 93.158.114.132

Domain share same IP Address:
securedlivescan.com
www.sciencehd.net


IP Address: 82.98.193.102

Domain share same IP Address:

getallstats.com
mslivelogin.com
onlinebannersmarketing.com
redirsystem32.com
selectusers.com
system32updater.com
tds1.onlineredirsystem.com
www.redirsystem32.com
www.selectusers.com


IP Address: 64.86.16.101

Domain sharing same IP Address:

go-checkvirus.net
systemguard-zone.net


IP Address: 83.133.126.201

Domain sharing same IP Address:

advancedvirscanner3.com
antivirus-scannerv17.com
antivirusquickscan2.com
bestantispywarescanv4.com
bestantivirusscanv8.com
intellectual-vir-scan01.com
intellectual-vir-scan03.com
intellectual-vir-scan05.com
professionalspywarescanv8.com
professionalvirusscanv3.com
protectedsecurityaudit.cn
reliable-scanner06.com
reliable-scanner09.com
superb-virus-scan03.com

IP Address: 91.213.126.100

Domain sharing same IP Address:

fast-virus-scan2.com
fast-virus-scan9.com
fast-virus-scan7.com

IP Address: 78.47.91.153

Domain sharing same IP Address:

advanedpromalwarescanner.com
booikingaccrosseurope.com
cats-manipulations.com
centralamrecanculture.com
challenges-cup.com
firstrunsystem.com
intellectual-vir-scan01.com
intellectual-vir-scan03.com
intellectual-vir-scan05.com
mail.unsecuredomains.com
malwaredomainlists.com
paymentonlinesystem.com
reliable-scanner06.com
reliable-scanner09.com
static.153.91.47.78.clients.your-server.de
superb-virus-scan03.com
website-blacklist.com
www.advanedpromalwarescanner.com
www.booikingaccrosseurope.com
www.unsecuredomains.com
yellow-taxi-cab.com

IP Address: 213.163.64.81

Domain sharing same IP Address:

ns1.exomud.com
ns1.flash-licenses.com
ns1.rupoconexo.com
ns1.signanda.net
ns1.update-flash.com
www.best-topscanner.com