Sunday, March 1, 2009

Campaign spreading XP Antivirus Police through Visual Social Engineering

The strategies of deception through visual social engineering, as are the cases that simulates viewing videos online, and attempts to download malware under the guise of lack of necessary codec, have become rife and almost a rule This should take the user to escape from a potential infection.

On another occasion I counted how scareware IE Defender used a similar campaign to spread your installer using the same strategy of deception. This time, the turn of this technique is to exploit Police XP 2009.

All domains that involve campaign directed to http://sexybabes18 .com/ video/ in the IP address 84.243.197.10. In this instance, you download a binary file called install.exe (MD5: 6ba25f5f8ed91db92305f92beef1fe84) from the XP Police 2009 website.

By accessing the website scareware that uses IP addresses 213.163.65.10, 213.163.65.10 and 206.125.44.28, we can verify that the file you downloaded is the same.

The domains are currently operated by XP Police 2009:

xp-police-09 .com
xp-police-antivirus .com
xp-police-engine .com
xp-police .com
xp-police-2009 .com
xp-police-av .com
mail.xp-police-antivirus .com
ns1.xp-police .com
ns2.xp-police .com
ns3.xp-police .com
ns4.xp-police .com
www.xp-police-09 .com
www.xp-police-antivirus .com
www.xp-police-av .com
www.xp-police-engine .com


This attack technique is actively used by scareware one of many that exist, so it might look more fake security programs using this strategy.

Related Information
New strategy of social engineering to spread IE Defender - Spanish version


# Jorge Mieres

No comments: