After being intrigued by the fact that my user name being used as keywords for developing malicious pages, I started investigating further the rogue antivirus pages the past two weeks whenever I had some free time.
I currently found so far the following main webpages where a lot of infected web pages direct their traffic to:
hxxp://fast-virus-scan7.com
hxxp://myzonesecure.com
hxxp://winfixscanner1.com
hxxp://7removespyware.com
hxxp://onlinesearch-protect.net
hxxp://compurerthreats2.com
hxxp://mytotalscanner.com
hxxp://mytotalscanner17.com
hxxp://mytotalscanner17.com/scan2/video2.php?pid=111
hxxp://protectyourpc-now1.com/pr.cgi?id=2739
hxxp://best-scanpc.net/disk/?code=934
hxxp://check-threats-online.com
The following domains which are likely bot generated sites that redirects traffic to the above malware sites:
jntscxwv.cc
hibqeidh.cc
gmfcmdt.cc
ppsjucknp.cc
cqmilpkl.cc
fymhizm.cc
ockdtsahp.cc
srpantlq.cc
(Most links are now expired)
Another variant of Rogue Antiviruses called Antivirus Plus are hosted in the following domains
ihaerxi.cn
ikaocy.cn
iqevun.cn
ijobuaw.cn
iqoysab.cn
iniegox.cn
inejayf.cn
ihouvi.cn
ilipyw.cn
ikyadeh.cn
ilyocij.cn
ikorate.cn
ijobuaw.cn
ijuoxe.cn
idoafy.cn
ikuaxge.cn
ifueme.cn
gowyti.cn
Beware, most of these links are still active.
The malicious executable files that are hosted on these websites have already been reported to the Microsoft Malware Protection Center. I would like to thank MS for their quick response and creating definitions for all of the submitted samples.
Information about the malware hosted on these sites are documented here:
TrojanDownloader:Win32.Renos
Trojan:Win32/FakeXPA
Trojan:Win32/Yektel.A
Posts
BEC Scammers Adventures on the Run
-
Last week the case of Valentine FOMBE was finally brought to a close. FOMBE
was sentenced to 144 months in Federal prison and ordered to pay $325,856
in...
5 weeks ago
No comments:
Post a Comment