Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at http://18.104.22.168, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the “Russian Business Network”, even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe
Creative stuff, no?
The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with “winpole2.exe” within a setup file, which was available as a another download at http://www.softportal2008-2008.com.
The dialog boxes’ appearance are similar to the Microsoft Security Center, with claims that “Windows did not find Antivirus software on this computer”, when the pages are not provided by “Windows” or Microsoft at all:
Clicking on one of the links provided by the Center-lookalike takes you to “thespybot.com”, a one-off from the legitimate antispyware product SpyBot S&D:
The other link in the Center-lookalike takes the user to a page that reports on phony scan results:
Now, instead of dropping the rogueware known as “Brave Sentry”, this new variant drops a variant of phony antivirus software “vav.exe”, otherwise known as “Vista Antivirus 2008″.