Malwarebytes Anti-Malware

[David H. Lipman]

From: "Lil' Abner" <blvstk@dogpatch.com>

| This may appear as kind of a rant. As far as I'm concerned, it's the best
| thing that has come along yet. I have probably cleaned up 100 instances of
| the AntivirusXP2008(2009) variants. MalwareBytes and Smitfraudfix are my
| top two tools.
| I installed XP in a virtual machine and have tried every which way to
| infect it with one of those variants. So I went to the warez groups and
| looked for obvious stuff. They all have different names, of course, but the
| last one, for instance, is Wise Disk Cleaner Pro v3 61 Keygen.zip. It
| unzips into an .exe file of the same name and is 130kb. This file gets 12
| hits at Virus Total. Malwarebytes doen't detect anything.
| So I ran the exe file. It didn't do anything visible but I noticed in task
| manager that Wise Disk Cleaner and another file called file.exe were
| running. I didn't stop them but then ran MalwareBytes on the VM and it
| found 10 objects. 5 files (3 were dll's) and 2 were file.exe. The other 5
| were in the registry. It cleaned them perfect and on reboot there was no
| evidence left except.... Wise Disk Cleaner Pro v3 61 Keygen.exe, the one
| that installed it. I use an ISP provided antivirus and antispyware app
| called Secureit. It doesn't identify it. I have another machine with Norton
| on it and it didn't tag it either. According to VirusTotal, this file has
| been scanned before. So that means it's been around a while. What takes the
| antivirus companies and the antispyware people so long to get them on their
| lists?
| Oh yeah... how do I infect myself with AntivirusXP? :-)


The file, file.exe is a downloader trojan that will download and install the Zlob trojan
will subsequently download and install rogue anti malware such as Antivirus 2008.

The file; file.exe is 15 ~15.5KB

Most of the software associated with the Zlob and rogue anti malre is supplied through
Atrivo and its accomplices. There has been much in the way of writeups on how Atrivo and
its pals like ESTDomains, Intercage, Hostfreah and Inhoster to host the malware by the
RBN.

http://voices.washingtonpost.com/sec..._as_major.html

Read the HostExploits white paper...
http://hostexploit.com/index.php?opt...d=12&Itemid=15

and...
http://voices.washingtonpost.com/sec...stdomains.html
http://www.spamhaus.org/news.lasso?article=636

Now that they are being exposed, uplink feeds have been cutoff to Atrivo and many of the
sites hosting the malware are now hosed. However, expect the RBN however to find new
hosts for their malicious actions.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Lil' Abner]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:HqqdnW6MUanR21DVnZ2dnUVZ_sninZ2d@giganews.com :

> From: "Lil' Abner" <blvstk@dogpatch.com>
>
>| This may appear as kind of a rant. As far as I'm concerned, it's the
>| best thing that has come along yet. I have probably cleaned up 100
>| instances of the AntivirusXP2008(2009) variants. MalwareBytes and
>| Smitfraudfix are my top two tools.
>| I installed XP in a virtual machine and have tried every which way to
>| infect it with one of those variants. So I went to the warez groups
>| and looked for obvious stuff. They all have different names, of
>| course, but the last one, for instance, is Wise Disk Cleaner Pro v3
>| 61 Keygen.zip. It unzips into an .exe file of the same name and is
>| 130kb. This file gets 12 hits at Virus Total. Malwarebytes doen't
>| detect anything. So I ran the exe file. It didn't do anything visible
>| but I noticed in task manager that Wise Disk Cleaner and another file
>| called file.exe were running. I didn't stop them but then ran
>| MalwareBytes on the VM and it found 10 objects. 5 files (3 were
>| dll's) and 2 were file.exe. The other 5 were in the registry. It
>| cleaned them perfect and on reboot there was no evidence left
>| except.... Wise Disk Cleaner Pro v3 61 Keygen.exe, the one that
>| installed it. I use an ISP provided antivirus and antispyware app
>| called Secureit. It doesn't identify it. I have another machine with
>| Norton on it and it didn't tag it either. According to VirusTotal,
>| this file has been scanned before. So that means it's been around a
>| while. What takes the antivirus companies and the antispyware people
>| so long to get them on their lists?
>| Oh yeah... how do I infect myself with AntivirusXP? :-)
>
>
> The file, file.exe is a downloader trojan that will download and
> install the Zlob trojan will subsequently download and install rogue
> anti malware such as Antivirus 2008.
>
> The file; file.exe is 15 ~15.5KB
>
> Most of the software associated with the Zlob and rogue anti malre is
> supplied through Atrivo and its accomplices. There has been much in
> the way of writeups on how Atrivo and its pals like ESTDomains,
> Intercage, Hostfreah and Inhoster to host the malware by the RBN.
>
> http://voices.washingtonpost.com/sec...rt_slams_us_ho
> st_as_major.html
>
> Read the HostExploits white paper...
> http://hostexploit.com/index.php?opt...article&id=12&
> Itemid=15
>
> and...
> http://voices.washingtonpost.com/sec...stdomains.html
> http://www.spamhaus.org/news.lasso?article=636
>
> Now that they are being exposed, uplink feeds have been cutoff to
> Atrivo and many of the sites hosting the malware are now hosed.
> However, expect the RBN however to find new hosts for their malicious
> actions.

Very informative... thanks!

--
- The bible was written by the same people who said the earth was flat -