Rogueware Distribution Changes for Cyber Security
The relentless rogueware distribution groups that we've been monitoring have changed their gig yet again, in their efforts to evade the typical AV solutions. And by the numbers this month, it seems that they are having a successful go at it.
The installer drops cs.exe to c:\program files\cs\cs.exe on your system and runs it, which prompts the user with nagging popups. If you are seeing "Cyber Protection Center reports that 'Cyber Security' is inactive" on your system, do not activate it:
Standard set of phony detections to scare the victim into paying for the software:
"Cyber Protection Center" gui has become the "usual" Microsoft security center spoof:
The naming has changed a bit. The typical download Url will look like a variant on this scheme:
91.212.107. 5/download/Soft_40s5.exe
91.212.107. 5/download/Soft_257.exe (starting 10/13)
91.212.107. 5/download/scanner-323_2007.exe
91.212.107. 5/download/scanner-323_2007.exe (starting 9/8)
91.212.107. 5/download/antivirus-8D5D21_2015-5.exe
91.212.107. 5/download/antivirus-32CED34_2007.exe (starting 8/12)
This month's moves include ip and domain changes:
91.212.107.5
best-antispyware-09 .com
best-antispyware-11 .com
computer-protection-7 .com
computer-protection-9 .com
quick-antimalware-2 .com
top-antispyware-scan9 .com
topantimalwarescan5 .com
wwwantispyware-01 .com
your-pc-protection0 .com
your-pc-protection2 .com
yourantispyware-2 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com
83.133.119.154
yourspywarescan0 .com
computer-protection-7 .com
computer-protection-9 .com
ftp.dot5productions .com
your-pc-protection0 .com
your-pc-protection2 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com
85.12.24.12
computer-protection-7 .com
computer-protection-9 .com
your-pc-protection0 .com
yourspywarescan0 .com
yourspywarescan1 .com
yourspywarescan6 .com
yourspywarescan8 .com
Do not activate the product:
What will the group have in store in November? We'll wait and see. In the meantime, PC Tools ThreatFire users and the recently award winning Spyware Doctor with AntiVirus 2010 (with Behaviorguard) are well protected from this round of scareware.
Source: http://blog.threatfire.com/2009/10/rogueware-distribution-changes-for.html
October 21st, 2009
Related posts
- Cyber security antivirus
- Rogueware distributors use Skype
- Windows Guardian 2010 – The Unholy Guardian of Your PC
- Cyber Protection Center
- Remove Cyber Protection Center (Removal Info)
- Remove Cyber Security (Removal Instructions)
- Cyber Protector Virus
- Cyber Massive
- Cyber Criminals Exploit Drupal CMS to Distribute Malware
- Blackhat SEO continues to ravage search results