Malekal's forum

de **Malekal_morte** » 21 Déc 2008 20:01

Pour supprimer System Security, veuillez suivre ce lien : http://www.malekal.com/SystemSecurity.php

System Security est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

System Security est le rogue remplaçant Winweb Security

Quelques exemples de captures des Fausses pages de scan/alerte de sécurité

de **Malekal_morte** » 21 Déc 2008 20:06

Code: Tout sélectionner: 1229881997.655 310 192.168.1.63 TCP_MISS/200 15906 GET http://netdigitalsecurity.com/ws/index.php?affid=01701 - DIRECT/94.75.210.40 text/html

Domain Name: NETDIGITALSECURITY.COM
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.NETDIGITALSECURITY.COM
Name Server: NS2.NETDIGITALSECURITY.COM
Status: clientTransferProhibited
Updated Date: 16-dec-2008
Creation Date: 16-dec-2008
Expiration Date: 16-dec-2009

Registrant:
PrivacyProtect.org
Domain Admin (protected e-mail)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 16-Dec-2008
Expiration Date: 16-Dec-2009

Domain servers in listed order:
ns2.netdigitalsecurity.com
ns1.netdigitalsecurity.com

Code: Tout sélectionner: 1229882005.734 641 192.168.1.63 TCP_MISS/200 62900 GET http://securesoftwareretrieve.com/downloadsetupws.php?affid=01701 - DIRECT/94.247.2.217 application/octet-stream 1229882038.297 2995 192.168.1.63 TCP_MISS/200 1279736 GET http://thesafedownload.com/install/ws.zip - DIRECT/209.67.220.178 application/zip

Domain Name: SECURESOFTWARERETRIEVE.COM
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.SECURESOFTWARERETRIEVE.COM
Name Server: NS2.SECURESOFTWARERETRIEVE.COM
Status: ok
Updated Date: 19-dec-2008
Creation Date: 17-dec-2008
Expiration Date: 17-dec-2009

Domain name: securesoftwareretrieve.com

Name servers:
ns1.securesoftwareretrieve.com
ns2.securesoftwareretrieve.com

Registrar: Regtime Ltd.
Creation date: 2008-12-17
Expiration date: 2009-12-17

Registrant:
Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211
Administrative Contact:
Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211
Technical Contact:
Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211
Billing Contact:
Robert Ward
Email: robertmwards@gmail.com
Organization: Private person
Address: 1595 Stoney Lane
City: Carrollton
State: TX
ZIP: 75006
Country: US
Phone: +1.9729044211

de **Malekal_morte** » 22 Déc 2008 20:05

Beaucoup de SPAM et Google Posening pour le forum hxxp://www.rruu.org/forum/ (209.151.99.26).

Ce dernier propose des tutoriaux via des vidéos Youtube.
Ces vidéos met en avont le site htxp://antiviruson.com (89.111.176.21) qui effectue des redirections pour le rogue System Security.

Code: Tout sélectionner: 1229968695.849 559 192.168.1.25 TCP_MISS/200 718 GET http://antiviruson.com/ - DIRECT/89.111.176.21 text/html 1229968696.447 320 192.168.1.25 TCP_MISS/302 310 GET http://internettraffictrade.com/in.php?land=20&affid=01400 - DIRECT/94.247.2.217 text/html 1229968698.079 1483 192.168.1.25 TCP_MISS/200 15906 GET http://netisecurity.com/ws/index.php?affid=01400 - DIRECT/94.75.210.40 text/html

de **Malekal_morte** » 28 Déc 2008 02:21

Code: Tout sélectionner: 1230423253.783 479 192.168.1.120 TCP_MISS/200 63417 GET http://websafetyguide.com/downloadsetupws.php?affid=05800 - DIRECT/91.211.64.31 application/octet-stream

Domain Name: WEBSAFETYGUIDE.COM
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.WEBSAFETYGUIDE.COM
Name Server: NS2.WEBSAFETYGUIDE.COM
Status: ok
Updated Date: 27-dec-2008
Creation Date: 27-dec-2008
Expiration Date: 27-dec-2009

Name servers:
ns1.websafetyguide.com
ns2.websafetyguide.com

Registrar: Regtime Ltd.
Creation date: 2008-12-27
Expiration date: 2009-12-27

Registrant:
Jeane Hoppe
Email: jeanejhoppe@gmail.com
Organization: Private person
Address: 2267 Lawman Avenue
City: Fairfax
State: VA
ZIP: 22030
Country: US
Phone: +1.7032736758

de **Malekal_morte** » 05 Jan 2009 19:59

Code: Tout sélectionner: 1231185599.762 304 192.168.1.25 TCP_MISS/302 316 GET http://clicksredirect.com/in.php?land=20&affid=04800 - DIRECT/91.211.64.31 text/html

Code: Tout sélectionner: 1231185754.524 978 192.168.1.25 TCP_MISS/200 15891 GET http://watchnetprotection.com/scan/index.php?affid=04800 - DIRECT/91.211.64.31 text/html

de **Malekal_morte** » 12 Mai 2009 10:24

Trojan.FakeAlert : Windows has detected spyware infection! faisant la promotion de System Security.

de **Malekal_morte** » 18 Juin 2009 12:33

Les descriptions des menaces imaginaires détectés par le rogue.

A Trojan Downloader that masquerades as a legitimate system file.

A backdoor Trojan that is remotely controlled via Internet Relay Chat (IRC). It exploits Sony Digital Rights Management (DRM) software to hide its presence.
Win32.Outsbot.u
Trojan downloader that is spread as an attachment to a spam email and tries to download a password stealer.
Trojan.Win32.Agent.ado

This dangerous worm will destroy certain data files on an infected user's machine on February 3, 2008.
Win32.BlackMail.xx

This is a "Bagle" mass-mailer which demonstrates typical "Bagle" behavior.Worm.Bagle.CP

Win32.Clagger.C This is small Trojan downloader that downloads files and lowers security settings. It is spreading as an email attachment.

Trojan.Dropper.MSWord.j A Microsoft Word macro virus that drops a trojan onto the infected host.

Trojan.IRCBot.dA worm that opens an IRC back door on the infected host. It spreads by exploiting the Windows Remote Buffer Overflow Vulnerability.

Win32.Spamta.KG.wormA multi-component mass-mailing worm that downloads and executes files from the Internet.

Win32.Peacomm.dam A Trojan Downloader that is spread as an attachment to emails with news headlines as the subject lines which downloads additional security threats.

Trojan-Downloader.VBS.Small.dc This Trojan downloads other files via the FTP protocol and launches them for execution on the victim machine without the users knowledge.

Win32.Miewer.a A Trojan Downloader that masquerades as a legitimate system file. Associated processes connect to the Internet to download additional malicious files.

Trojan-Dropper.Win32.Agent.bot is designed to retrieve and install files when executed. Win32.PerFiler is configured to download from either a designated web or FTP site.

Trojan-Dropper.Win32.Agent.bot This Trojan is designed to install and launch other malicious programs on the victim machine without the knowledge or consent of the user.

Win32.Sdbot.ADN A worm and IRC backdoor that exploits system and software vulnerabilities in order to provide unmitigated remote access to the host machine.

Win32.Delbot.AI A worm and IRC backdoor that exploits system and software vulnerabilities in order to provide unmitigated remote access to the host machine.

Adware.eXact.BargainBuddy A browser helper object that monitors internet browsing sessions in an attempt to redirect search queries and distribute unsolicited advertisements.

Trojan.Poison.J is a key-logging Trojan for the Windows platform.

Dialer.Trafficjam.a is a premium-rate phone dialer that automatically invokes paid access to various porn-related Web sites.

Trojan.Clicker.EC is an information stealing Trojan that masquerades as a legitimate system file so as to avoid detection and subsequent removal.

Spyware.007SpySoftware Program designed to monitor user activity. May be used with or without consent.

Trojan.BAT.Adduser.t This Trojan has a malicious payload. It is a BAT file. It is 1129 bytes in size.

SecurePCCleaner - C:/Program Files/SecurePCCleaner Rogue Security Software: fake Security software that uses deceptive means for installation and purpose.

TrustedAntivirus - C:/Program Files/TrustedAntivirus A corrupt and misleading anti-virus program that may be usually installed with the help of malcous Trojans and other malware

Trojan.Alg.t C:/windows/system32/alg.exe Trojan program that can compromise your private information stored on the hard drive.

Trojan horse that gets access to e-mail accounts on the infected computer.
Trojan.MailGrabber.s C:/windows/system32/explorer.exe

Trojan.Tooso is a trojan which attempts to terminate and delete security related applications.

Spyware.KnownBadSites Uses the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site.

A Dialer that loads pornographic material. The url information shows Hardcore Pornographic pages.
Dialer.Xpehbam.biz_dialer C:/windows/system32/cmdial32.dll

Infostealer.Banker.E Steals sensitive information from the infected computer (e.g. logins and passwords from online banking sessions).

An IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine.
Win32.Rbot.fm C:/windows/system32/svchost.exe

Spyware.IMMonitor Program that can be used to monitor and record conversations in popular instant messaging applications.

Zlob.PornAdvertiser.ba Adware that displays pop-up/pop-under advertisements of pornographic or online gambling Web sites.