Antisource.com  /  Security Forums  /  About  /  FAQs  /  Links  /  Polls  /  Advanced Search     
Register!   Login  
The All Inclusive Security Resource
Defending users and administrators against the
threat of viruses, trojans, spam, spyware, and hackers
Topics
General News
Antivirus Reviews
Network Defense
Spyware
Anti-Spam
Phishing Scams
Virus Alerts
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes
Antivirus Support

Network Security
Firewalls and Routers
Intrusion Detection
Web Proxies
Quick Resources
About Antisource
Malware Threats Triangle
Free Virus Scan
Virus Map
 

ThinkPoint FakeAV distributed using Banner Ads

Wednesday, October 27, 2010
Author: Richard S. Westmoreland
Permalink: fakeav-thinkpoint-banner-ads 		General News
Email Article to a Colleague Printer-Friendly Version Author's Profile


FakeAV has been around awhile. Its infection success can be contributed to its use of social engineering. It typically mimics a security alert that indicates you're infected and offers ways to clean it.

The latest variant is going mostly unnoticed because of the way its spreading... through legitimate sites such as MSNBC.com. A banner advertisement served by msn redirects, and several redirects later we end up with content served by adshuffle1.com. The URLs vary, but this seems to be the most suspicious:

/bdb/fullfrontalfation/728x90.swf

But we don't stop here. Another redirect brings us to domains hosted on 91.213.217.35. So far I've seen:

conduceability DOT com /new/users/root/file/file.exe
which has been tracked by AMaDa: http://amada.abuse.ch/?search=c88c13514cebb65a76d0429ec3879f7d

fairysm DOT com /new/show.php?key=87c1a082278ace8fdf2f63b86db29d6f&u=root

fairysm DOT com /new/2fcf333c783/7909df6ac8d.jar

karolie DOT com /new/forum.php


At some point during the infection phase, you're presented with some alarms. Just a couple screenshots of what you'll see:



Security software ThinkPoint(c) has detected the submitted suspicious file Trojan.Horse.Win32.PAV.64.a as a virus. A trial version of ThinkPoint(c) software is able to remove Trojan.Horse.Win32.PAV.64.a virus from your system.
It is installed on your computer.
Please click "Ok" to reboot and complete the installation.




What little information there is about this attack is limited to the blogging and forum communities. Some references include:

Microsoft Security Essentials is Fake
http://www.f-secure.com/weblog/archives/00002053.html

ThinkPoint Fake AV
http://www.podnutz.com/forums/viewtopic.php?f=26&p=20540

Security Alert: ThinkPoint or MSE FakeAV infection
http://www.geeksquad.com/intelligence/blog/security-alert-thinkpoint-or-mse-fakeav-infection/

How to remove ThinkPoint (Uninstall Guide)
http://deletemalware.blogspot.com/2010/10/how-to-remove-thinkpoint-uninstall.html

ThinkPoint rogue has functioning menu
http://sunbeltblog.blogspot.com/2010/10/thinkpoint-rogue-has-functioning-menu.html

If you're an administrator on your network, I suggest you just go ahead and block the IP 91.213.217.35 until the Advertisers clean this up. Even if your antivirus manages to catch this, I'm afraid of what else it might not have caught in the process and could be sitting idle.
  

Comment about ThinkPoint FakeAV distributed using Banner Ads | 0 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.

 
 Copyright © 2012 Antisource
 All trademarks and copyrights on this page are owned by their respective owners.
Running GeekLog | Privacy Policy | Created this page in 0.05 seconds | Site Stats | RSS Feed xml