AdultFriendFinder account suspended

Some spyware pushed AdultFriendFinder... but apparently they got blocked ;-)

Buffer overflow attempt?

BraveSentry joke

What? You must be kidding!

Spot the mistake courtesy of TrustedAntivirus

Hint: achtung!

Winsoftware localisations

Having fun with different versions of WinAntivirusPro... French, German, Italian.... you name it.

TrustedAntivirus Scam

Ah... it will never change...

Scam again

Don't buy this rogue stuff. It's a S.C.A.M.!!!!

Malware tampers with verclsid

Verclsid.exe is used to verify a COM object before it is instantiated by Windows Explorer.

This threat attempts to delete verclsid.exe. I guess the idea is to execute a non verified nasty COM object regardless ;-)

AVSystemcare, 5 star rating?

My PC gets infected with a Trojan which pushes the famous AVSystemCare rogue:



Very nice install screen!



Lots of happy customers:




It's MY DECISION!!!





Verdict:
A very good looking product with very bad intentions (your money).

When a picture hides an executable

A GIF file is harmless, right?

Wait, maybe not!



It turns out it's an EXE renamed just for the fun of it.

VirusTotal sneak preview:

Fake Zlob Trojan codec site down? or not....

Apparently a goner....



Hmm.... maybe not:

Trojans from China: exposed!

A nice collection of Trojans being pushed massively stored at:
down[hidden].china-s0ft.cn/downlist.txt




and more from another domain:

Zlob Trojan: fake error, real infection

I found a fake video codec while doing some Google searches. It is very well crafted, with a bit of social engineering. At first I thought this one was VMware aware because of the error message. However, some deeper analysis revealed it was not. Some interesting things came up. Below is a summary.

Upon executing the sample, the following message shows up:



However, in the background things are taking place:




An Internet Explorer toolbar is created:


Only the following security vendors are detecting this threat at the time of posting:

Porn YouTube impersonation leads to malware

"Show Yourself"?

Once you pick a video, you are prompted to download a codec.


The site is totally bogus and the comments posted are fake (of course). Though kudos to whoever wrote them.



Installs a rogue app (VirusHeat) as well as a bunch of other bad stuff.

RogueFest

Stay away from those scams!

Malware Crush:


Filter Program:


Advanced Cleaner

Search2Find installs rogue SystemDefender

Rogue infestation

A VM image infected with several rogue anti spyware apps. Note the antivirus.exe process (in Process Explorer). Although you see the process, the file is invisible to the system. Rootkit technique....
Also, one of the rogue is VM aware....

Rootkit + Rbot Worm

I found something interesting while analyzing a malware sample.
A process called "taskmaneger.exe" was running (I can see it in Process Explorer). However it was not visible on the hard disk under its location System32.
I therefore rebooted under Linux (dual boot drive) and mounted the XP disk. I browsed it from Linux and this time I found the cuplrit classified as the Rbot Worm.




It is using Rootkit techniques to hide itself from Explorer, however, the process is still visible....

Most hacked AppInit_DLLs ever

Storm Worm: Love Edition

Malware AutoIt error

AutoIt is a program to write Windows scripts. This malware author didn't smoke test it well enough... it crashed on my machine as it was trying to do its payload.

MSN Worm

The worm propagates from System to System by downloading an infected Zip file and sending it to all your contacts in MSN.

Stay away from pictures sent to you in a zip file!

A Happy New Year from Storm Worm

Email from Storm Botnet:



Infected page with obfuscated JavaScript:



Installs a rootkit on the PC

Facebook Phishing Scam

This domain is hosted in China and pretends to be the Facebook login page.



Fiddler transcript below. It captures your email address and password and sends it over. After that, it redirects you to the legit Facebook page where you are prompted again to enter your credentials.

DioCleaner Rogue

Typical Rogue infection.

IE Defender infection + hijacked search results

Broken exploit

Nice little function... but it is broken now. Too bad.

Rogue uses System Shutdown ploy

If you let the timer go all the way, nothing happens.. of course...

Fake 404 contains an iframe

YES!!!!!!!

My Google homepage hacked

Weird Error Message

Rogue with Knowledge base: are you serious?

Oh, a security toolbar?

Welcome back to AVSystemCare's deceptive security toolbar.

PrivacyProtector's provocative ad

How far are rogue programs going to go to convince you?

This is shocking, showing you real porn pictures that you may have on your computer.

PestTrap goes X

Their new domain: xpesttrap.com

AVSystemCare: from fake alert to rogue

Fake alert #1:



Fake alert#2:



Webpage:



Rogue:

Storm Worm rootkit

I know this is kind of old news but here is a little sample of what it does.

Upon execution the file ecard.exe will run its payload, which is installing a rootkit and then will forcefully reboot the machine.

A screenshot of a scan done with RootkitRevealer below shows the file hidden from Windows, but yet still very active.

Part of a Botnet

After running a Trojan, I checked the network traffic for communications with the outside.

The Trojan was reporting the name of my computer and other info to a web server... The kind of stats a bot herder might use...

Live Messenger infection

Running Live Messenger with a lot of (unknown) contacts can be a dangerous thing:

First a window pops up. It's not a good sign when I haven't touched my browser:



A quick glance at Process Explorer confirms the infection:

RogueFest in the UK

behappysyst.com hosts a large number of rogues. It is hosted in the UK

Fake gaming site installs Trojan

This site installs a variant of the Newar Trojan.

Worm tries to propagate using MySpace posts

Dangerous URL posted on a MySpace web page.

PornTube... dangerous fake codec

Watch out for this YouTube imitation... Nasty Trojan when you download a video.

New Zlob fake codec site: hxxp://zero-codec.com

Scam or not?

It may work... but come on, 100% legal???? What's the point in having a license plate then?

Porn pop up leads to Zango's website

Ran a Trojan that created a pop-up designed to ressemble Youtube videos. On click, you are redirected to Zango's website.

Well crafted IM Worm

I came across an interesting IM Worm today:

First, I get this IM with a link to follow:



It brings me to this website, that, for some reason ;-), needs me to install the Flash player:



Surprisingly, this "Flash Player" is infected!!!


In case, I didn't download the file, the webpage itself has a malicious and obfuscated code that pushes the installer down my throat:



And to finish the loop, it sends out Instant Messages in my name to all the people on my contact list (to spread the word I suppose).

The culprits:

Fake Google site

Drive-by exploit launches when you visit this site. If you use Firefox they trick you into downloading an add-on.

Another point of interest, clicking on the Sign in link will open the AdultFriendFinder website. Oops..

To avoid this, check out the URL in the address bar. It is not Google's. Also, Google will never ask you to download additional software to do a search. At least, not right now.
Also, drag your mouse onto the links on the page, and you may see in IE's status bar, that they point to a totally different site.

Rogue program makes spelling mistake

Malware - not "Malaware". TrustedAntivirus is a rogue anti-spyware program.

New file name for fake ecard

Interesting MSN stuff

This user's display name is "DO NOT ACCEPT FILES FROM ME".... Well, it makes sense since it is trying to send me some infected files... But still, rather odd.

This one likes to send pictures and other stuff... even after the first No, they continued... Of course, these files are dangerous to open.