Are malware authors and the rest of the participants in fact willing to violate their OPSEC (operational security) for the sake of increasing the probability of successful malware infection by on purposely lowering down the security settings of Internet Explorer, by adding their malicious netblocks and domains into "Trusted Sites"? You bet.The infamous Smitfraud or PSGuard Desktop Hijacker, has been cooperating with known malicious parties for over an year now, a cooperation which exposes interesting relatinships between the usual suspects. Starting from the basic fact that a malware infected host is infected with many other totally unrelated to one another pieces of malware, Smitfraud's "pre-infection foreplay" demonstrates that they are willing to sacrifice operational security in order to increaes the probabilty of future infections on the same host.
Rogue software added as trusted sites upon Smitfraud infection :
about-adult .net
antivirus-scanner .com
best-porncollection .com
getadultaccess .com
getavideonow .com
ieantivirus .com
malwarebell .com
mega-soft-2008 .com
mooncodec .com
movsonline .com
ruler-cash .com
s-freeware .com
sexysoftwaredom .com
supersoft21freeware .com
the-programsportal .com
vwwredtube .com
wetsoftwares .com
youpornztube .com
securewebinfo .com
safetyincludes .com
securemanaging .com
myflydirect .com
onlinevideosoftex .com
scanner.malwscan .com
scanner.shredderscan .com
sex18tube2008 .com
spywareisolator .com
virus-scanner-online .com
security-scanner-online .com
virus-scanonline .com
antivirus-scanonline .com
topantivirus-scan .com
topvirusscan .com
virus-detection-scanner .com
antivirus-scanner .com
infectionscanner .com
internet-security-antivirus .com
hotvid44 .com
opaadownload .com
somenudefuck .com
Rogue netblocks and IPs added as trusted IP ranges upon Smitfraud infection :
"69.50.*.*"
"69.31.*.*"
"66.235.*.*"
"66.230.*.*"
"216.239.*.*"
"205.188.*.*"
"205.177.*.*"
"195.225.*.*"
"216.195.*.*"
"82.179.*.*"
"81.95.*.*"
"70.84.*.*"
"195.95.*.*"
"194.187.*.*"
"78.129.158.*"
"78.129.166.*"
"89.149.226.*"
"195.93.218.*"
"72.21.53.*
"81.9.3.*"
"213.189.27.*"
"88.255.74.*"
"79.143.178.*"
"202.71.102.*"
"64.202.189.170"
"217.170.77.150"
The second hardcoded trusted IP is also responding to :
virusisolator .comvirus-isolator .org
virus-isolator .net
soft-collections .com
viruswebprotect .com
virus-isolator .us
codecvideo2008-18 .com
sextubecodec55 .com
sextubecodec67 .com
soft-archives .com
soft-collections .com
codecreviews .com
codecvideo2008-18 .com
Such practices leave a great deal of malicious creativity, for instance, once rented a botnet's already infected malware PCs could start trusting the majority of sites in their scammy ecosystem. What's great is that by doing this they expose their affiliations with these affiliate based rogue security software programs, next to their infrastructure on which they may be that easily claiming ownership.
No comments:
Post a Comment