Sunday, May 3, 2009

Campaign scareware propagation MalwareRemovalBot

Register multiple domains on a single IP address, is one of the methodologies used for the propagation of scareware programs because it allows a consistent positioning web unethical by the way, expanding the horizon of possibilities that a desperate user reaches web that promises, through its false product, its magical way of solving problems or implement a so-called security layer to your computer to potential infections.

Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.

In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address (174.132.250.194). Surely using virtual servers.

Some of the domains involved in this campaign are:

antivirus360remover .com
av360removaltool .com
malwarebot .org
malwaree .com
malwaree .org
remove-a360 .com
remove-antivirus-360 .com
remove-av360 .com
remove-ie-security .com
remove-malware-defender .com
remove-personal-defender .com
remove-spyware-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-system-guard .com
remove-total-security .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-virus-alarm .com
remove-virus-melt .com
remove-winpc-defender .com
smitfraudfixtool .com
vundofixtool .com
www.antivirus360remover .com
www.av360removaltool .com
www.malwarebot .org
www.malwaree .com
www.malwaree .org
www.remove-a360 .com
www.remove-antivirus-360 .com
www.remove-av360 .com
www.remove-ie-security .com
www.remove-ms-antispyware .com
www.remove-personal-defender .com
www.remove-spyware-guard .com
www.remove-spyware-protect-2009 .com
www.remove-spyware-protect .com
www.remove-system-guard .com
www.remove-total-security .com
www.remove-ultra-antivir-2009 .com
www.remove-ultra-antivirus-2009 .com
www.remove-virus-alarm .com
www.remove-virus-melt .com
www.remove-winpc-defender .com
www.vundofixtool .com

The executable file of the threat (MD5: 08a0b7b100567eb5a1373eb4607d5b24) is setupxv.exe name, and has a low rate of detection. Only 11 of 39 antivirus companies detect it :(

This binary is only a capsule containing the other pieces of malware such as executables that allow the execution platform of Microsoft 32-bit and 64-bit, depending on the case. Any of the files are:

  • MalwareRemovalBot64.msi - 0/40 (0%) (MD5: 708149179e0f18304413edd56d16fa48)
  • MalwareRemovalBot.msi - 0/40 (0.00%) (MD5: e1a1c6175d65ab6be8d5f5cbc85a4ca6)
  • MSIStart.exe - 7/40 (17.50%) (MD5: 3de82388a6e799446bada69b6a08dc9e)
  • zlib.dll - 2/40 (5%) (MD5: 81ac3f43a5b07d202b5723145d3d88f9)
  • TCL.dll - 5/40 (12.5%) (MD5: 2a4a0083d63d44374a64a27974eea789)
  • SpyCleaner.dll - 13/40 (32.5%) (MD5: 1ca00d4ef4319c9cd454397e5659600b)
  • MalwareRemovalBot.srv.exe - 3/40 (7.50%) (MD5: 852f708466a5b74556b69c536d3add7e)
  • MalwareRemovalBot.exe - (MD5: 25166bb5d2629cb6dfb9ac6143b88f00)
In many other cases, the scareware uses other techniques to spread deception and not go out of fashion and are present as a strategy of any innate malware current use or (increasingly) from Black Hat SEO techniques, and a pair so for most.

Related Information
Continuing the important and massive campaign scareware - Spanish version
Campaign scareware infection through false Windows Explorer - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version


# Jorge Mieres

No comments: