Continuing the important and massive campaign scareware

During the past month, had written something on a major campaign of spreading malware type scareware, or rogue, using as a strategy of deception by pretending to be pages that Windows Explorer, in English and Spanish language.

A month later, the campaign continues to operate a mass number of important domains, the majority of Chinese origin.

However, its creators and disseminators channel all its efforts not only in domains quickly get through the registration hosting free or violated, but also to avoid detection by antivirus companies regardless of the life cycle of the installer, since it's changed almost daily.

Some of the binaries and domains involved are:

• install.exe. MD5 857fe3b30bc1f8a7ec4b73cb8dd38d3d
• install.exe. MD5 59d60912ff9d1a91fc9d75fcbede6c8d
• install.exe. MD5 16c601cf62a51250d2be81555172525a
• installer_1.exe. MD5 17354a6e1f2f8fb3ca507615060364bc
• setup.exe. MD5 20cfc5b10dae04aae02a16d6bf14d081

ia-scannerpro .com
scanplus4 .info newscan4 .info
anytoplikedsite .com
topsecurity4you .com
cleanyourpcspace .com
fullsecurityshield .com
xw.dayindigo.cn/in .cgi?9
onlinedetect.com/in .cgi?6
greatsecurityshield .com
easycheckpoisonpro .cn/?
examineillnesslive .cn
easydefenseonline .cn
bigdefense2u .cn
vlo.bookadorable.cn/in .cgi?9
davidkramm.net/core/admin/bald-pussy-photo/red-pepper-humus-recipe .html
1000league .com/in .cgi?9
goscanstep .com/?uid=12724
in4ck .com/cki.php?uid=12724
data6scan .com/?uid=12724
bwgm.schoolh .cn/in.cgi?6 designroots .cn/in.cgi?6
drawingstyle .cn/in.cgi?6
ed.worksean .cn/in.cgi?6
housevisual .cn/in.cgi?6
kvk.housevisual .cn/in.cgi?6
oceandealer .cn/in.cgi?6
pub.oceandealer .cn/in.cgi?6
peopleopera .cn/in.cgi?6
rainfinish .cn/in.cgi?6
schoolh .cn/in.cgi?6
vitamingood .cn/in.cgi?6
websiteflower .cn/in.cgi?6
worksean .cn/in.cgi?6
xfln.housevisual .cn/in.cgi?6
yz.worksean .cn/in.cgi?6
securedantivirusonlinescanner .com
thankyou4check .com
antivirusonlineproscan .com
antivirus-pro-live-scan .com antivirusonlineproscanner .com
allsoftwarepayments .com
powerdownloadserver .com
securitysoftwarecheck .com
wwwsafetyread .com
scan7live .com
traffbox .com/in.cgi?6
soft-traffic .com
rd-point .net/go.php?id=1188
ddors .info/in.cgi?10
truconv .com/?a=125&s=gen-asw
yourfriskviruspro .cn/?wm=70127&l=1
addedantivirusstore .com
myplusantiviruspro .com
realantivirusplus .com
yourguardstore .cn
addedantiviruslive .com
japanhostnet .com/in.cgi?mainy8com

While this list is quite generous, compared with the number of domains used in the campaign scareware represents only a small percentage.

Moreover, beyond the campaign itself, another factor of concern is the increasing effectiveness of this type of malicious code.

Related Information
Campaign scareware infection through false Windows Explorer - Spanish version
Malware infection through false Windows Security Center

# Jorge Mieres