Jump to content

Malwarebytes

Here comes the new wave

Started by nosirrah, Jun 20 2007 10:24 PM

7 replies to this topic

#1
nosirrah
Posted 20 June 2007 - 10:24 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
I have not reverse DNSed these yet so more are likely .

http://antiworm2008.com

http://goldenantispy.com

http://menacerescue.com

http://antispywaresuite.com

http://trojansfilter.com
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#2
JeanInMontana
Posted 20 June 2007 - 10:29 PM

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.
2008 nice to see they are looking ahead. :)

#3
nosirrah
Posted 20 June 2007 - 10:33 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
So are we , to spreading the word against them .

Antispywaresuite.com
Antiworm2008.com
Defensaantimalware.com
Filtrodetrojan.com
Goldenantispy.com
Keinegefahr.com
Menacerescue.com
Menacesecure.com
Orantiespion.com
Rescatedeamenazas.com
Trojanerfilter.com
Trojansfilter.com
Trojansfiltre.com
Antiespiadorado.com
Antiespionspack.com
Antigusanos2008.com
Antispionage.com
Antispionagepro.com
Antiver2008.com
Antiwurm2008.com


I am going to see if all of these are live .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4
nosirrah
Posted 20 June 2007 - 11:40 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
Same family as here : http://www.malwarebytes.org/forums/index.php?showtopic=1391

On a hunch I tried adding the same suffix to trigger a download , it works .

/data/?450801071357510a5501&mpt=1181125634&gai=swg_av&gli=3948&gff=pp_1084837492&ax=4&wqbp=7484-46197-7784-0
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
nosirrah
Posted 20 June 2007 - 11:51 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
http://content.onerateld.com/antiworm2008.com/AntiWorm2008/install_en.exe

http://content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install_en.exe

http://content.onerateld.com/menacerescue.com/MenaceRescue/install_en.exe

http://content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install_en.exe

http://content.onerateld.com/trojansfilter.com/TrojansFilter/install_en.exe
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6
nosirrah
Posted 21 June 2007 - 01:17 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
Faking the install with those links does not work , you need to use the suffix I posted above to get different infections .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
nosirrah
Posted 21 June 2007 - 12:31 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,187 posts
  • Location:Northampton, MA USA
I think these work by automatically rebranding a core installer based on temp info . I was able to get all variants installed by grabbing the 14 meg unbranded installer (AVSystemcare) installer and then interrupting the install process of each variation and then dropping the 14 meg file into the temp folder . I had to clear my temp folders each time to get this to work .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8
SwampDiner
Posted 26 June 2007 - 04:36 AM

    True Member

  • Experts
  • PipPipPipPip
  • 419 posts
  • Location:The Internets
Wow that took a lot of effort, every one of these clones will be added 138.
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us