Investigating New Trends of Rogue Antiviruses - Part 2

Besides the randomly named sites that host the rogue antivirus pages, I have also noticed a huge amount of legitimate sites that have been compromised to direct traffic to the rogue antivirus domains.

Each compromised website contains a folder with a 5 lettered randomly generated name. The folder also contains another randomly generated folder of the same length that contains hundreds of computer generated infected php web pages.

Examples of the folders found on compromised legitimate sites that I have discovered via google are:
http://kingofthecageskennels.com/hoabe/sueno/
http://trd3tv.net/qiqut/aejpc/
http://markingsstudio.com/ppplc/iyiux/
http://internationalharpmuseum.org/keaeb/qrdaw/
http://romania-ti.com/steuf/sgqrm/
http://bizbuilderswa.org/pmrum/bpakx/
http://mrantasi.com/ljglc/mjqrl/
http://amerilao.org/grano/kpsxm/
http://appliancerepair.tv/bseul/ewsyo/s
http://susancastor.org/czpmf/dihbl/
http://deartes.net/qesbr/sieme/
http://ffseguros.net/zwwzo/ommil/
http://eventsregister.net/cbuga/dykdb/
http://giaitri8x.net/bdrmh/bhusp/
http://alu-vene.com/eiika/zeypc/
http://streetmedia.us/iktdl/ytzcq/
http://butteredhost.com/iwyiw/xdbhc/
http://leadershipsummit.net/tyird/yeirh/
http://vogelrentalproperties.ca/iljqu/daogi/
http://punk-designs.com/uaiyx/tkuif/
http://guard-door.info/fqrna/nyhlh/
http://mortgagecapitalrealty.com/cyzle/ubpnr/
http://endoscopyspecialists.com/kescd/drwiy/
http://californiahistoricalsociety.org/ieeci/skelr
http://uriellaw.com/ilrxb/dxixr
http://elrealsabordecuba.com/lyxei/uolqe/
http://karpovthewreckedtrain.com/epjfw/htgbs/
http://moto-osat.com/npkcg/zuzfj
http://swanjoy.com/ewyqi/fopzi/
http://stevericks.net/yuyrz/tbrdw/
http://costumeoriental.com/lwicu/nghep/
http://kfgroup.net/nbfep/biqni/
http://otroma.com/omhig/flwbi
http://bilikbahasa.com/nsege/olgyf/
http://catasticbritz.com/imgjx/ekquz
http://tomspencerbassin.com/pcuwz/sbous
http://puijonsrknuoret.net/exhcy/sirfa/
http://caflasvegas.org/zeaen/ifpkl/
http://energizardelvalle.com/xisfe/esixm/

Examples of infected php pages taken from one of the above sites:
http://kingofthecageskennels.com/hoabe/sueno/survivors.php
http://trd3tv.net/qiqut/aejpc/pomegranate.php

The list of compromised sites continue to grow every hour.

Investigating New Trends of Rogue Antiviruses - Part 1

After being intrigued by the fact that my user name being used as keywords for developing malicious pages, I started investigating further the rogue antivirus pages the past two weeks whenever I had some free time.

I currently found so far the following main webpages where a lot of infected web pages direct their traffic to:
hxxp://fast-virus-scan7.com
hxxp://myzonesecure.com
hxxp://winfixscanner1.com
hxxp://7removespyware.com
hxxp://onlinesearch-protect.net
hxxp://compurerthreats2.com
hxxp://mytotalscanner.com
hxxp://mytotalscanner17.com
hxxp://mytotalscanner17.com/scan2/video2.php?pid=111
hxxp://protectyourpc-now1.com/pr.cgi?id=2739
hxxp://best-scanpc.net/disk/?code=934
hxxp://check-threats-online.com

The following domains which are likely bot generated sites that redirects traffic to the above malware sites:
jntscxwv.cc
hibqeidh.cc
gmfcmdt.cc
ppsjucknp.cc
cqmilpkl.cc
fymhizm.cc
ockdtsahp.cc
srpantlq.cc

New Smitfraud Variant

I was searching my username today on google and I found a malicious site that uses my username as keywords. The malicious pages includes the following urls:
hxxp://q84.isutv.com/wap715-abuibrahim12.html
hxxp://ps51.isutv.com/wap565-abuibrahim12.html
hxxp://ps51.isutv.com/wap84-cherrytoons.html
hxxp://q84.isutv.com/wap363-query-letter.html
hxxp://ps51.isutv.com/wap780-whippedwomen.html
hxxp://ps51.isutv.com/wap293-dr-emma-starr.html
hxxp://q84.isutv.com/wap561-bnz.html
hxxp://q84.isutv.com/wap895-dmaiv.html
hxxp://q84.isutv.com/wap632-unesco.html

Each of the pages would redirect you tothe following rogue antivirus pages:
hxxp://best-virus-scanner4.com/scan1/?pid=111&engine=pHT3zjjyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMIEMPAZO
hxxp://fast-virus-scan9.com/scan1/?pid=111&engine=pHT22jzyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMkEMPAlO

The web page displays a classic fake explorer page giving an impression that your hard-disk partitions are being scanned and malware was found in the computer.
Clicking anywhere around the page, will prompt you download a new trojan named Antivirus_111.exe which at the time I write this blog entry has no detections by any antivirus.

The file when uploaded on VirusTotal, produced the following results: