Category Archives: Rogue Security Products

Software which attempts to convince a victim to pay for it through deceptive displays of information and technical trickery, most often by masquerading as antivirus or some other form of security software.

Fake Microsoft Security Scam

Posted on by

By Roy Tobin

Recently we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected.  With these types of scams there are a number of things to remember.

1.       Microsoft will never call you telling you that your PC is infected
2.       Never allow strangers to connect to your PC
3.       Do not give any credit card info to somebody claiming to be from Microsoft
4.       If in doubt, shut down your PC and call Webroot

The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.

More details: Continue reading

Webroot’s Threat Blog Most Popular Posts for 2012

Posted on by

By Dancho Danchev

It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.

Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?

Let’s find out.

Continue reading

FakeAV for Android! There you are!

Posted on by

By Nathan Collier

Every super hero has an arch nemesis. For a lot of Threat Researchers, including myself, Rogue Security Products, or better known as FakeAV, is theirs. Back in the day when I was primarily a PC malware fighter, FakeAV was a prevalent threat that was always coming up with new ways to infect users nearly every other day. I knew it was only a matter of time that the same malware authors would turn mobile. I am afraid those days are upon us. How could I ever forget such an identifiable logo:

“Android Security Suite Premium”… yeah, right!  This spy which is being called Android.FakeSecSuit   retrieves incoming sms messages, extracts the phone number and message, and then sends the stolen info off:

As you can see in the GET command from the PCAP, highlighted in blue is the phone number and message I sent to my test phone now being sent off to a site.

Now that the developers of the popular FakeAV malware have entered into the mobile world expect to to see a lot more variations of this… and if they follow the same pattern as they did in the PC world, I mean A LOT! We are seeing it in Torrents and/or alternative markets. Remember, when downloading Android apps choose them wisely and download  from a trusted source. Check reviews, research the developer and verify  permissions requested before downloading. And of course, scan with Webroot SecureAnywhere Mobile.

Spamvertised LinkedIn notifications serving client-side exploits and malware

Posted on by

By Dancho Danchev

Cybercriminals are currently spamvertising LinkedIn themed messages, in an attempt to trick end and corporate users into clicking on the malicious links embedded in the emails.

The campaign is using real names of LinkedIn users in an attempt to increase the authenticity of the spamvertised campaign.

More details:

Continue reading

Researchers intercept malvertising campaign using Yahoo’s ad network

Posted on by

By Dancho Danchev

Security researchers from StopMalvertising.com have intercepted a malvertising campaign using Yahoo’s ad network, that ultimately leads to a malicious payload in the form of fake security software known as scareware.

More details:

Continue reading

How malware authors evade antivirus detection

Posted on by

By Dancho Danchev

Aiming to ensure that their malware doesn’t end up in the hands of vendors and researchers, cybercriminals are actively experimenting with different quality assurance processes whose objective is to increase the probability of their campaigns successfully propagating in the wild without detection.

Some of these techniques include multiple offline antivirus scanning interfaces offering the cybercriminal a guarantee that their malicious program would remain undetected, before they launch their malicious campaign in the wild.

In the wild since 2006, Kim’s Multiple Antivirus Scanner is still actively used among cybercriminals wanting to ensure that their malicious software is pre-scanned against the signature-based scanning techniques offered by multile antivirus vendors.

Let’s review Kim’s Multiple Antivirus Scanner, and discuss when it’s an important tool in the arsenal of the malicious cybercriminal spreading malware for profit.

Continue reading

Criminals Abuse Amazon Hosting with Rogues, Ransomware

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The criminals who push rogues at the world don’t really care about the reputations of the ISPs or Web hosting services they abuse. They leap from free service to free service until they’ve thoroughly worn out their welcome and, in some cases, destroyed the reputation of the service they abused. But they have behaved in one predictable way over the years: They’re stingy, and won’t pay for anything unless it’s absolutely necessary, despite the fact that they’re raking in cash by the boatload.

But that seemed to change this week when we saw a number of Web sites pop up on the radar. The sites employ the now well-worn scam of pretending to be some sort of video streaming service. In this case, they pretended to be a porn site, but the most surprising part was not what was hosted, but where: Amazon’s Cloudfront hosting service ended up, temporarily for a few hours, serving up malicious Web pages. Amazingly, it seems they actually paid for hosting instead of just stealing it.

Amazon shut the sites down quickly, but before they did, we visited one site called xrvid-porno.com. The page isn’t exactly family friendly, but the gist of the scam is that that page eventually redirected the browser to a server inside of Amazon’s cloud hosting service, and that’s where the trouble began.

Continue reading

Fake UPS Document Installs Fake Microsoft Patch Payload

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As if we didn’t have enough to deal with this week — after a Microsoft patch Tuesday that brought with it a boatload of security updates for Windows, Office, Silverlight, Visual Studio, and other programs — some enterprising malware distributor is emailing around bogus tracking number malware dressed up in the icon of a PDF document, and that malware is downloading payloads named after the updaters that Windows Update retrieves during an update.

The malware arrived into one of our spam collection points with an attachment named UPS_document.zip. Way to be original there, criminals. Inside the Zip file was an executable downloader named UPS_Document.exe. Upon execution, it retrieves at least three payloads, including a copy of SpyEye (a password stealing Trojan), a tiny agent sending profiling information about the infected system, and a fraudulent “rogue system utility” called (on my XP testbed) Windows XP Restore.

The rogue takes on much of the appearance of a previous Rogue of the Week, named Windows Recovery. In fact, Windows XP Restore looks to be a very slightly modified duplicate of that software. If you’ve been hit with either rogue, there are some cool free tools for you to download that will repair some of the damage; Read on for details.

Continue reading