MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.8.10

FakeAV via new strategy of deception from BKCNET "SIA" IZZI

Generally cheating strategies designed for the dissemination of false antivirus (AV Rogue) consist of online simulation of a scan for malware, showing an interface that mimics Windows Explorer and which always face the same threats, including when using operating systems other than Windows.

Conventional strategy of deception
This is one of the many templates. It shows a supposed scan to verify the integrity of the computer with an interface that simulates being under the Windows Explorer

However, recently launched a new strategy with similar features but using a different maneuver is to show a real video when it occurs, the event scanning. This is shown under the caption "Scan in progress. Please wait".

New strategy of deception
It shows a real video while the traffic is routed to a false report with the detection of a threat

While playing the video, traffic is routed to another page which displays information about alleged threats found after the scan. In this instance, presumably the information is provided by several antivirus engines listed in a strategic way to display information related to detection.

False report
As the scan has detected malware on your system. This seeks to give notice to the users through the false report with information from multiple antivirus engines

Coincidentally, each of the "products" to detect alleged antivirus malware activity provides the opportunity to download the application that will solve the problem:
Both the beginning and the end of the video shows the words "Protect your privacy! Use only licensed software!". It contains a high psychological impact of action on the user who "entertains" watching a video about the theft of data and then read the "recommendation".

Protect your privacy!
Psychological action strategy seeks to provoke a persuasive effect on users who then buy the rogue

This strategy is being channeled through the AS6851, better known as BKCNET "SIA" IZZI or SAGADE. BKCNET "SIA" IZZI serves as a "repository" to promote various criminal activities and provide cover for housing botnets and other crimeware as Koobface, ZeuS, Phoenix Exploit's Kit, BOMBA, among others, as well as some affiliated business type Pay-per-Install. In this case, solving from IP address. 85.234.191.173.

The team is completed by installing a rogue called AntiSpy Safeguard that the duration of their initial scan blocks access to operating system resources. The ultimate goal of rogue is, as usually happens, get stuck buying the application is malicious.

Purchase rogue
These pages are usually under the guise of legal services, and is whereby the offender obtained money from the sale of rogue data and credit card

With this maneuver, the offender, or affiliate program, make sure the one hand a percentage of money for the cost of the rogue, and on the other, to feed its database with information on the credit card which is then sold on the black market variable costs directly proportional to the type of credit card.

Related information

Pay-per-Install through VIVA INSTALLS / HAPPY INSTALLS in BKCNET “SIA” IZZI
Campaign infection through Phoenix Exploit's Pack
Circuit Koobface from 91.188.59.10 (BKCNET "SIA" IZZI)
BOMBA Botnet. New alternative crimeware fuel the economy criminalPhoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

0 comentarios:

Post a Comment