Tuesday, June 9, 2009

Malware, Malicious and Spam Site Reports: search-and-destroy, antimalware-live-scanv3 [Updated]

Last week I researched some malware distribution sites including search-and-destroy dot com and antimalware-live-scanv3 dot com.

For more detailed reports for search-and-destroy dot com and its malicious payload, see:
File details courtesy of VirusTotal:
File name: SearchAndDestroy.exe
File size: 15403586 bytes
MD5 : 8fb526b68a826cd3c87f0bf39a22c8df
SHA1 : 2175cbb71d63f667a460d776361225d7195748d0
SHA256: 896e81b6d01cf13e91105de296607ef8f457116d36870ad2cc717a14657b8374
Variously identified as: Riskware.FraudTool.Win32.SearchAndDestroy!IK, DR/Fraud.SearchAndDestroy.A.2, Fake_AntiSpyware.AMR, Application.Generic.27393, Win32.FraudTool.Sear, FraudTool.Win32.SearchAndDestroy.a, Trojan.Dropper.Fraud.SearchAndDestroy.A.2, Win32/Adware.AntiVirusPro, FakeAV.VU, Adware/SearchAndDestroy, etc.
This deceptively-named, fraudulent malware and is advertised by spamming anti-virus forums or article comments. This malware and the associated site have no relation whatsoever to the legitimate anti-spyware utility Spybot-Search & Destroy; the malware authors are seeking to piggyback on Spybot-S&D's good reputation by giving their malware a similar name. Only 16 out of 40 antivirus products currently detect this payload as malware. NOTE: I tried to submit this sample to multiple anti-virus vendors for analysis, but unfortunately most companies seem to have limitations on sample file sizes that they accept. Since this sample is larger than usual (about 15 MB), it is apparent that the malware author made it very difficult to submit the sample to most anti-virus/anti-malware companies. This reveals a major flaw in the sample submission systems of many AV vendors; if their dropboxes only accept small files, a malware creator can prevent detection by simply making their payloads a bit too large for independent security researchers to upload to these vendors.

Another site and malware file that I researched recently is antimalware-live-scanv3 dot com. For more detailed reports for this domain and its malicious payload, see:
File details courtesy of VirusTotal:
File name: Install_2009-1541.exe or or Install_2007.exe or Install_0000.exe
File size: 147456 bytes
MD5 : a5ca6016e61a916470af3dfa3092653e
SHA1 : 308c1c10a0d0b4e4fa809dca28c09a795030b9a8
SHA256: 4bc080e77782f27ab2f0578086b37d185a5ef22708d0a55435c6ef1d2bc8bb95

Variously identified as: Win-Trojan/Fraudpack.147456.B, TR/BurnInHell.D, W32/FakeAV.KS, Win32:Rootkit-gen, Generic13.BDHW, Trojan.FraudPack.onq, Win32.Banker, Trojan.Win32.FraudPack.onq, W32/FraudPack.ONQ!tr, Trojan.BurnInHell.D, Trojan:Win32/FakeXPA, Win32/Adware.PersonalAntivirus, TROJ_FAKEAV.BIM, Spyware.FraudPack.147456.A, etc.
As of last Wednesday, only 1 major antivirus product (Prevx) detected the payload as malware. I submitted the sample to multiple vendors and two have replied so far (Kaspersky and McAfee) stating that they have added the file's signature to their definitions as Trojan.Win32.FraudPack.onq and FakeAlert-di respectively. I have not rescanned the file since then, but other vendors may have added this signature to their detection libraries by now. UPDATE: As of 9 June, rescanning the file with VirusTotal shows that 24 out of 39 virus/malware scanning engines now detect this threat (see the report). I have added an additional file name and several detection names above.

Following are some other malware-associated domains that I've recently reported. The links go to my McAfee SiteAdvisor report for each domain:
Following are some spam sites I've reported recently. I've limited this list to those that don't show many results in a Google search. Again, the links go to my McAfee SiteAdvisor report for each domain:
Please stay tuned for more updates to the JoshMeister on Security by subscribing to the RSS feed, or follow me on Twitter.