After being intrigued by the fact that my user name being used as keywords for developing malicious pages, I started investigating further the rogue antivirus pages the past two weeks whenever I had some free time.
I currently found so far the following main webpages where a lot of infected web pages direct their traffic to:
hxxp://fast-virus-scan7.com
hxxp://myzonesecure.com
hxxp://winfixscanner1.com
hxxp://7removespyware.com
hxxp://onlinesearch-protect.net
hxxp://compurerthreats2.com
hxxp://mytotalscanner.com
hxxp://mytotalscanner17.com
hxxp://mytotalscanner17.com/scan2/video2.php?pid=111
hxxp://protectyourpc-now1.com/pr.cgi?id=2739
hxxp://best-scanpc.net/disk/?code=934
hxxp://check-threats-online.com
The following domains which are likely bot generated sites that redirects traffic to the above malware sites:
jntscxwv.cc
hibqeidh.cc
gmfcmdt.cc
ppsjucknp.cc
cqmilpkl.cc
fymhizm.cc
ockdtsahp.cc
srpantlq.cc
(Most links are now expired)
Another variant of Rogue Antiviruses called Antivirus Plus are hosted in the following domains
ihaerxi.cn
ikaocy.cn
iqevun.cn
ijobuaw.cn
iqoysab.cn
iniegox.cn
inejayf.cn
ihouvi.cn
ilipyw.cn
ikyadeh.cn
ilyocij.cn
ikorate.cn
ijobuaw.cn
ijuoxe.cn
idoafy.cn
ikuaxge.cn
ifueme.cn
gowyti.cn
Beware, most of these links are still active.
The malicious executable files that are hosted on these websites have already been reported to the Microsoft Malware Protection Center. I would like to thank MS for their quick response and creating definitions for all of the submitted samples.
Information about the malware hosted on these sites are documented here:
TrojanDownloader:Win32.Renos
Trojan:Win32/FakeXPA
Trojan:Win32/Yektel.A
Posts
$50 Million in BEC Losses
-
The Eastern District of New York has announced charges against four men for
their roles in a Business Email Compromise (BEC) and romance scams.
https://...
6 months ago
No comments:
Post a Comment