Sunday, April 19, 2009

Continuing the important and massive campaign scareware

During the past month, had written something on a major campaign of spreading malware type scareware, or rogue, using as a strategy of deception by pretending to be pages that Windows Explorer, in English and Spanish language.

A month later, the campaign continues to operate a mass number of important domains, the majority of Chinese origin.

However, its creators and disseminators channel all its efforts not only in domains quickly get through the registration hosting free or violated, but also to avoid detection by antivirus companies regardless of the life cycle of the installer, since it's changed almost daily.

Some of the binaries and domains involved are:
ia-scannerpro .com
scanplus4 .info
newscan4 .info
anytoplikedsite .com

topsecurity4you .com

cleanyourpcspace .com

fullsecurityshield .com

xw.dayindigo.cn/in .cgi?9

onlinedetect.com/in .cgi?6

greatsecurityshield .com

easycheckpoisonpro .cn/?

examineillnesslive .cn

easydefenseonline .cn

bigdefense2u .cn

vlo.bookadorable.cn/in .cgi?9

davidkramm.net/core/admin/bald-pussy-photo/red-pepper-humus-recipe .html

1000league .com/in .cgi?9

goscanstep .com/?uid=12724

in4ck .com/cki.php?uid=12724

data6scan .com/?uid=12724

bwgm.schoolh .cn/in.cgi?6
designroots .cn/in.cgi?6
drawingstyle .cn/in.cgi?6

ed.worksean .cn/in.cgi?6

housevisual .cn/in.cgi?6

kvk.housevisual .cn/in.cgi?6

oceandealer .cn/in.cgi?6

pub.oceandealer .cn/in.cgi?6

peopleopera .cn/in.cgi?6

rainfinish .cn/in.cgi?6

schoolh .cn/in.cgi?6

vitamingood .cn/in.cgi?6

websiteflower .cn/in.cgi?6

worksean .cn/in.cgi?6

xfln.housevisual .cn/in.cgi?6

yz.worksean .cn/in.cgi?6

securedantivirusonlinescanner .com

thankyou4check .com

antivirusonlineproscan .com

antivirus-pro-live-scan .com
antivirusonlineproscanner .com
allsoftwarepayments .com

powerdownloadserver .com

securitysoftwarecheck .com

wwwsafetyread .com

scan7live .com

traffbox .com/in.cgi?6

soft-traffic .com

rd-point .net/go.php?id=1188

ddors .info/in.cgi?10

truconv .com/?a=125&s=gen-asw

yourfriskviruspro .cn/?wm=70127&l=1

addedantivirusstore .com

myplusantiviruspro .com

realantivirusplus .com

yourguardstore .cn

addedantiviruslive .com

japanhostnet .com/in.cgi?mainy8com


While this list is quite generous, compared with the number of domains used in the campaign scareware represents only a small percentage.

Moreover, beyond the campaign itself, another factor of concern is the increasing effectiveness of this type of malicious code.

Related Information
Campaign scareware infection through false Windows Explorer - Spanish version
Malware infection through false Windows Security Center


# Jorge Mieres

No comments: