Got Your XPShield up and Running?

Thursday, May 15, 2008

Got Your XPShield up and Running?

Don't. Continuing previous posts with three different portfolios of fake security software, and Zlob malware variants posing as video codecs, the rogue security application XP Shield is the latest addition to the never ending list, with the following domains participating in the campaign :

xp-shield.com
xpshield.com
xpantiviruspro.com
xpantivirussecurity.com
xponlinescanner.com
xpprotectionsoftware.com
xpantivirussite.com
antivirus2008x.com
securityscannersite.com
antivirus-xp.awardspace.us
xpantivirus.awardspace.co.uk

The detection rates for the time being :

XPShieldSetup.exe
Scanners result : 1/32 (3.13%)
File size: 517632 bytes
MD5...: 99c7271ac88edc56e1d89c9f738f889c
SHA1..: 3347564017d289ffd116f70faa712e05883358f4

XPantivirus2008_v880381.exe
Scanners result : 4/32 (12.5%)
File size: 65024 bytes
MD5...: ef9024963b1d08653dcc8d8b0d992998
SHA1..: 436bf47403e0840d423765cf35cf9dea76d289a5

How would the end user reach these domains from a malicious attacker's perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Thursday, May 15, 2008

Got Your XPShield up and Running?

No comments:

Post a Comment