sudosecure.net

I just recently wrote some php code to start tracking comment spam bots, which has lead to some interesting findings and statistics. The major goal for this script was to identify the most active comment spam bots by IP, but today I decided to follow some of the urls in the comment spam postings to see if any badness was waiting for me. The very first url I followed lead to the rogue Antivirus application that has been blogged about and documented heavily all over the net for about a month now and known by numerous aliases: “Antivirus 2009, Windows XP Antivirus 2009, Antivirus 2008, Antivir64, and XP Antivirus”. In the write ups I read in regards to this rogue Antivirus Software I have not really seen anything on comment spam leading to it. Most of the write ups cover email spam being sent out with catchy subject lines like “Prince Harry Proposes to Paris Hilton, Paris Hilton finds God: God issues denial, Britney Spears Sex Tape, Britney Spears Admits: My Vagina made me shave my head, and Hilton, Lohan, Spears, Duff star in Where The Boys Are remake”.

The instance of comment spam I investigated was posted by IP “189.73.10.64″ which is a host in Brazil with a reverse lookup name of ” 189-73-10-64.dsl.ctame700.brasiltelecom.net.br”. The comment spam was very simple with a message of “Nice site, Thanks” and a URL entry of “hxxp://best-savings-accounts.expectgroup.net/best-high-interest-savings-accounts.html”. I would not recommend following this URL as it leads to malicious content. Doing a simple nslookup of the best-savings-accounts.expectgroup.net returns the IP “84.16.255.84″ and doing a IP search on Malware Domain List shows this IP has been known to serve up badness: Malware Domain List search results. Both of the sites listed in the search results were linked to the Zlob Trojan. The really interesting thing about this URL was it was only a redirect to hxxp://virtualblog5.com. Doing an nslookup for virtualblog5.com returned the IP address: “84.16.252.138″ and then searching this IP address on Malware Domain List showed this IP has also been known to serve up badness as well: Malware Domain List search results. All four search results are classified as “rogue” and given the dates of this IP being reported I would have to assume this is nothing new. Virtualblog5.com was also a redirect to a virtual host on the same server hxxp://scanner-prot.com where the real badness surfaced. I was greeted with some simple javascript that identified my browser by looking at the User Agent and then rendered a pop up and redirection to hxxp://scanner.antivir-64.com. Doing an nslookup for antivir-64.com returned two IPs: “78.157.142.7″ and “91.203.92.64″. Doing the same simple searches at Malware Domain List provided the following results: 78.157.142.7 and 91.203.92.64 showed these IPs have already been identified as rogue application servers, so again nothing new here. Since this was my final destination in the crafty redirects I did some passive DNS investigations to see what other domains were being seen on these two IP address:

• antivirus2008pro-download1.com A 78.157.142.7
• antivirus2008pro-download2.com A 78.157.142.7
• antivir-64.com A 78.157.142.7
• scanner.antivir-64.com A 78.157.142.7
• antivir64.com A 78.157.142.7
• scanner.antivir64.com A 78.157.142.7
• antivirus-2008a-pro.com A 78.157.142.7
• antivirus2008t-pro.com A 78.157.142.7
• antivirus-2008y-pro.com A 78.157.142.7
• 2008pro-download1.com A 91.203.92.64
• antivirus2008pro-download2.com A 91.203.92.64
• antivir-64.com A 91.203.92.64
• scanner.antivir-64.com A 91.203.92.64
• antivir64.com A 91.203.92.64
• scanner.antivir64.com A 91.203.92.64
• antivirus-2008a-pro.com A 91.203.92.64
• antivirus2008t-pro.com A 91.203.92.64
• antivirus-2008y-pro.com A 91.203.92.64

By looking at the domain names associated with these two IPs definitely shows this comment spam I was investigating is linked to the rogue antivirus spam everyone is discussing. Getting back to the URL tracing here is a snapshot of the pop up window I received when redirected to this server:

Clicking “OK” will download the rogue antivirus software, which I would not recommend doing. Interesting enough this rogue antivirus software is very persistent in trying to get the user to install it as clicking cancel will redirect you to a fake online virus scanner shown here:

Taking a look at the source code for this page shows the list of files being shown as scanned is stored in a file called: “fileslist.js”. In this file you will find a JavaScript array containing 443 bogus file names used in the scanning animation. Also if any type of click is performed inside the browser window it will cause another pop up window shown here:

Following the instructions presented in these pop up windows will install the rogue antivrus software, but interesting enough clicking cancel and trying to close the windows will kick off another pop up window show here:

So as you can tell the rogue antivirus application web page is very persistent in trying to get the visitor to download and install it. This persistence is most likely the reason this campaign has been so widely documented as one mistake from a visitor and the badness is installed.

Now taking a look at what a visitor would see if they were to install this rogue security application. I went ahead and downloaded the binary and ran it in my sandbox. The very first installation pop up window looks very professional and presents a license agreement which even includes a limited warranty. Here is a screenshot of this license agreement pop up:

Once the “Continue” button is clicked the rogue security software is installed and the following scan window pops up:

Once the scan is completed the results are another pop up window telling the user multiple files have been found to be infected in some way or another. Here is a snapshot of the results window:

For my investigation I went ahead and choose the “protect this files now” button. Again a pop up window was presented to me showing the different license packages sold for this rogue security software seen here:

Clicking anyone of the “subscribe now” buttons presents you with the following ordering form:

Well as you can see from reading this post the comment spam I followed was definitely related to the rogue antivirus software everyone seems to be writing about or worse yet experiencing first had it’s badness. I haven’t tried to remove this infection as I did this in a sand boxed computer, but I have read many users have had success getting rid of this rogue software application by following these instructions: Bleeping Computers removal instructions.

I also ran the downloaded binary in several online sandboxes which you can check out here: VirusTotal Results 16/36 (44.45%), ThreatExpert Results, and Anubis Results.

One last thing to keep in mind about this rogue security software is that all of this is just one very large and elaborate phishing scam, so if anyone you know comes into contact with this rogue application make sure to advise them to contact their bank and/or credit card companies if they entered their personal information into the purchase form.