The ThreatFire community is preventing an unusual hosts file modification in higher prevalence than usual that seems to be related to “Spyware Protect 2009″. On unprotected systems, the end result can be that your browser appears to be visiting “browser-security.microsoft.com” when it’s really not the legitimate microsoft.com site, alerting you to a familiar browser warning “visiting this site may harm your computer!”. You can see the spoofed microsoft.com url circled in red in the image:
So far, getting the user to run an executable (or exploiting a system running vulnerable third party pdf reader plugins) that modifies the hosts file with “browser-security.microsoft.com” to redirect to 220.127.116.11 and launch a browser to a page on that domain seems to be a fairly prevalent tactic. The links on the page direct the user to pay for another piece of rogueware called “Spyware Protect 2009″. In no way is this site associated with the real microsoft.com web presence.
Other domains shared by the group right now are sys-protection.com, sysguard2009.com, os-protection.com, swp2009.com, spy-protect-2009.com, spywprotect.com and some adult entertainment links. Avoid these domains and rogueware.
Update: The “Malware Analysis and Diagnostic” blog posted some additional information on the rogueware. Looks like an interesting blog, and for english readers, Google translate is your friend.
Update: More of the same technique found here.
Update: Michael Hale Ligh posted details of his investigation into a related incident here. In an update, he comments that the user’s system had an outdated version of Adobe Acrobat Reader, which was most likely the targeted vulnerable application. It’s excellent work and a great read for those interested in technical details.