![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqjghHqgqmbmPbOPXJmPbQMeom1bemrgfQkYQN9Y6lLtr6Z0SCc2AMop3V_ud4TRocA7Hhb-BndZtWnZwqF5mQzsCAuQNDKrvBa2WGhn88StcQCgiKs5zvBr7TvdZV6gpVlnKU/s200-r/rogue_security_software_portfolio_november.png)
premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47)
antivirus-pc-scan .com (208.72.169.100)
securityfullscan .com (84.243.197.184)
antivirus-live-scan .com (84.243.196.136; 89.149.227.196)
windefender-2009 .com - (200.63.45.55)
windefender2009 .com
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZWweASUdr7tzK3Y0jPHmoQLyogO7rVLK935XY_LlgBR4RarhNCuADpBcZ2HDIE0W4hydtU8rJi-cDQSF_vBExJRelkwdWgxfdKHL92djgRpCVMlE7wpV81relJdX5YrYbsT7a/s200-r/rogue_security_software_portfolio_november_1.png)
"Not Found. The requested URL /2009/download/trial/A9installer_.exe was not found on this server."
Registrant:
Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536
DNS servers used - ns1.freefastdns.com; ns2.freefastdns.com
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh81XjWo4NDVdMdTRBDC7qJgTTvMtbdR4muvXy0mMgvn8L1Ff3Ir__QMwEBcLHi2Wd8ysM_MJyLs4WFH99nBIt6Xqc_fQbE6c3a6rXm-5fjTcPJ1nFN3fLS6gEHIjOo-1GeVGN3/s200-r/rogue_security_software_portfolio_november_2.png)
save-my-pc-now .com
real-antivirus .com
liveantivirustest .com
antiviruspctest .com
premium-live-scan .com
liveantivirustest .com
antiviruspersonaltest .com
mysecuritysupport .com
updateyourprotection .com
antivirus-premiumscan .com
securitylivescan .com
security-full-scan .com
secured-liveupdate .com
livepcupdate .com
protection-update .com
antivirus-scan-online .com
xpsoftupgrade .com
live-virus-defence .com
Shestakov Yuriy
alexey@cocainmail.com/alexeyvas@safe-mail.net
+7.9218839910
Lenina 21 16
Mirniy,MSK,RU 102422
The sampled WinDefender binaries phone back to megauplinkbindinstaller .com/cfg1.php (91.203.92.99) with the entire netblock clearly a bad neighborhood. Here are some sample command and control locations :
91.203.92.101 /admin/cd.php?userid=19102008_184429_260953
91.203.92.25 /dmn/domen.txt
91.203.92.135 /alligator/cfg.bin
91.203.92.132 /c.bin
This operation is being monitored, results will be posted as they emerge.
Related posts:
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
No comments:
Post a Comment