Elevated RBN Ip Range Activity

Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the “Russian Business Network”, even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe

Creative stuff, no?

The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with “winpole2.exe” within a setup file, which was available as a another download at http://www.softportal2008-2008.com.

The dialog boxes’ appearance are similar to the Microsoft Security Center, with claims that “Windows did not find Antivirus software on this computer”, when the pages are not provided by “Windows” or Microsoft at all:

Clicking on one of the links provided by the Center-lookalike takes you to “thespybot.com”, a one-off from the legitimate antispyware product SpyBot S&D:

The other link in the Center-lookalike takes the user to a page that reports on phony scan results:

Now, instead of dropping the rogueware known as “Brave Sentry”, this new variant drops a variant of phony antivirus software “vav.exe”, otherwise known as “Vista Antivirus 2008″.

If that’s not enough to convince the user to pay for the misleading product, they falsely alarm the user of “Spyware.IEPass.Thief” on their system.

Many of the components have very poor protection for now, see four of the scanners picking up for much of the dropped components:

This entry was posted in Online Fraud. Bookmark the permalink.

One Response to Elevated RBN Ip Range Activity

  1. Pablo Wahnon says:

    I think I’ve this. But it doesn´t allow me to run task manager (on xp).
    What must I do?

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>