1 edit | [Scam] Hijacked browser - Fake Virus Scan Hello.
Last time this happened I searched in vain to find a site to report it. Glad I found it at last.
This is one of those elaborate scripts that use MS-Winblows look alike legal malware (MS that is), to present a Fake alert and animated scan. The annoying thing, if you are not stupid enough to believe that a Winsucks My Computer window will suddenly appear on your Ubuntu Linux distro's desktop, then you cant just turn a blind eye. I doesn't just cut it's losses and slink away hoping to avoid any further contempt. The complete refusal of the dialog to stop re-spawning is enough to drive a fella to dispair. It sits there refusing to let you click on and direct focus back the main browser.
I eventually opened up a new instance of Firefox, which did allow me to use the main GUI and so I turned Java & JavaScript off, then returned to the original window. I clicked the dialog away, and Had it buggered. Course Then I could also give the page a good examination too. Gotcha! 
How could Firefox be so negligent as to allow any process to open a dialog from a remote server, or a runtime script? If it is anything but an application installed locally it should never have permissions to spawn modal boxes. For that matter a web browser should have no need to spawn a modal dialogue, so this is an unnecessary. drama. Here's a zip of the report files.
»www.box.net/shared/837zclm9t7
The actual URL is: h ttp://scanner.just-protect-pc.info/scan.php?campaign=mmb_815609071&landid=6
The whois report reads thus:
Result for just-protect-pc.info
--> /usr/local/bin/fwhois just-protect-pc.info@whois.afilias.info
[whois.afilias.info]
Access to INFO WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Afilias registry database. The data in this record is provided by
Afilias Limited for informational purposes only, and Afilias does not
guarantee its accuracy. This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Afilias reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.
Domain ID:D30427886-LRMS
Domain Name:JUST-PROTECT-PC.INFO
Created On:17-Nov-2009 09:48:57 UTC
Last Updated On:16-Jan-2010 20:34:52 UTC
Expiration Date:17-Nov-2010 09:48:57 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:51457cec910ea920
Registrant Name:Pavel Medved
Registrant Organization:Harkov-Pribor
Registrant Street1:25/27 primerovskaya str.
Registrant Street2:
Registrant Street3:
Registrant City:Harkov
Registrant State/Province:Harkov
Registrant Postal Code:61050
Registrant Country:UA
Registrant Phone:+380.7321838
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:chainadmin@gmail.com
Admin ID:51457cec910ea920
Admin Name:Pavel Medved
Admin Organization:Harkov-Pribor
Admin Street1:25/27 primerovskaya str.
Admin Street2:
Admin Street3:
Admin City:Harkov
Admin State/Province:Harkov
Admin Postal Code:61050
Admin Country:UA
Admin Phone:+380.7321838
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:chainadmin@gmail.com
Billing ID:51457cec910ea920
Billing Name:Pavel Medved
Billing Organization:Harkov-Pribor
Billing Street1:25/27 primerovskaya str.
Billing Street2:
Billing Street3:
Billing City:Harkov
Billing State/Province:Harkov
Billing Postal Code:61050
Billing Country:UA
Billing Phone:+380.7321838
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:chainadmin@gmail.com
Tech ID:51457cec910ea920
Tech Name:Pavel Medved
Tech Organization:Harkov-Pribor
Tech Street1:25/27 primerovskaya str.
Tech Street2:
Tech Street3:
Tech City:Harkov
Tech State/Province:Harkov
Tech Postal Code:61050
Tech Country:UA
Tech Phone:+380.7321838
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:chainadmin@gmail.com
Name Server:NS1.GLOBDNS.ORG
Name Server:NS2.GLOBDNS.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server: |
|
 dandelionPremium,MVM
join:2003-04-29
Germantown, TN
kudos:4
 ·Comcast
| Not clicking on your link, it is not a good idea to post a link to a malware site, try posting it without the http in front. As far as firefox is concerned, I use no-script as an add-on which should stop those kinds of scripts however not being a security expert I will leave that up to others.  |
|
| "Not clicking on your link, it is not a good idea to post a link to a malware site, try posting it without the http in front."
Yeah point taken. But I figured that the kind of folks in here, have the good sense to understand that I am not posting the link, as an open invitation to to click indiscriminately, besides which I reckoned that there would be a number who could quarantine the little bastard, on a virtualized machine or a live Linux distro etc. I assumed a reasonably interested party would want to check it out and find out WTF is going on and see that it is genuine fraud.
"As far as firefox is concerned, I use no-script as an add-on which should stop those kinds of scripts however not being a security expert I will leave that up to others."
Hmmm. Welll that's one approach. On the other hand hunting the little f***ers down and putting them in hospital would be more effective. I am so f**king sick if the complacency. The attitude seems to be that we all just need to adapt to the situation. F**K that for a joke. This is bullshit and I want to see some blood. F**K those little C**TS screwing peoples lives up. At least they need to be hunted down and dealt with legally. I first saw that shit like 8 months ago. this scam is probably like, a couple of years old by now.
Regards, StevoDevo |
|
3 edits | reply to StevoDevo
Re: [Scam] Hijacked browser - Fake Virus Scan stevo, i am glad you posted the malicious link.. i like it when people report the malicious stuff that they run across.. i see that the malicious URL that you posted is disabled, now, by putting a space in "http".. that is the way to do it.. as long as the malicious link is disabled, somehow, that is OK..
i usually just substitute "hxxp" for "http", to disable a malicious link.. |
|
| reply to StevoDevo
The dropper is AntivirusInstaller.exe. Fourteen hits at Virus Total »www.virustotal.com/analisis/ac6c···65652413
It hangs Firefox, Process Explorer, Buster, task manager and Application Process Terminator. I never could get it to install. The only way out was to crash the VM. |
|
Reviews:
 ·MTS
1 edit | reply to StevoDevo
There are boatloads of these foul things - new ones pop up every day... Here's another flavour of the day, blogged about at Sophos: »www.sophos.com/blogs/sophoslabs/post/8564
Edited to add: Oh look, there's another: »www.sophos.com/blogs/gc/g/2010/0···-attack/ |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX
1 edit | reply to StevoDevo
Some of the scareware families are known to release new clones as often as once a day - Winiguard is notorious for doing that.
One of the newest ones mimics the Automatic Updates window that pops up when Microsoft updates are ready to install. There's also one that seems to change its name depending on the OS it has been installed on.
And they are getting more and more sophisticated with their attempts at defeating tried and true removal methods, such as preventing any executable from running, blocking the installation or running of Malwarebytes, disabling the Task Manager, and more.
And now in addiiton to the usual vectors, such as SEO poisoning, malvertisements, spam, and being dropped by other malware, the scareware operators have even taken to Skype: »[Phish] not even skype is safe.....
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
 ashrc4
join:2009-02-06
australia | reply to StevoDevo
said by StevoDevo :
"
"As far as firefox is concerned, I use no-script as an add-on which should stop those kinds of scripts however not being a security expert I will leave that up to others."
Using sandboxie + noscript the exploit fails.
Temporarily allowing the site with no-script it attempts to down load an .exe.
Just to clarify.
--
Paradigm Shift beta test pilot. So far nothing to report.
Now is the not right time to stop folding. |
|
Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | reply to StevoDevo
Just now I had one of these rogues try to load a fake/scare scan page after I went looking for information on General Beauregard Lee, the Southern groundhog who lives on the Yellow River Game Ranch just outside of Atlanta, GA.
The 6th hit on a Google search for this landed me on what appeared to be a fake security scan page. The page had a URL that was based out of India, part of which was www1.do-cleanand-scanzone.in followed by what appeared to be a bunch of obfuscated javascript. The page was titled Security Threat Analysis, and in the center was a circular animated icon with the words "Initializing Internal Security System...". This was not what was in the Google results - looks like another referrer hack. Since I visited the fake scanner page with Firefox and NoScript with no scripts allowed, it could not do anything.
General Beauregard Lee did not see his shadow, BTW.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
 n1zukBreak out the checkbookPremium
join:2001-10-24
Malta
kudos:2
 ·Future Nine Corp..
| reply to StevoDevo
Just spent a good chunk of yesterday cleaning one of these antivirus malware from my son's computer. He's 11, and is savvy enough to recognize when they hit, and knows to (try to) use the Task Manager to bail out of what he is doing.
This sucker was strong -- locked down the Task Manager, turned off the (real) AV and Microsoft Update, partially disabled Explorer's ability to open CD/DVD drives. It would allow MalwareBytes to be installed, except for actually installing mban.exe. All of this, even in safe mode as Administrator.
I eventually was able to get MB installed using the random name installer, and cleaning enough to start the cleaning process all over again.
These things are really becoming a PITA... 
--
New to Forum Life? Click here and learn. |
|
Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | reply to StevoDevo
Evasive little bugger that fake scanner page is - I tried the original URL from the Firefox history, and it was now a dead link. Going back to the original hacked webpage redirected me to a different fake scanner page, with the same title and animated image in the center. Again it was hosted from the same country domain (.in).
Looks like a deliberate tactic to evade detection by anti-malware researchers, or programs like Malwarebytes. And the redirection chain, which shows up in the history, has some obfuscated characters in the URLs.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
