ThinkPoint FakeAV distributed using Banner Ads

Wednesday, October 27, 2010
Author: Webmaster

FakeAV has been around awhile. Its infection success can be contributed to its use of social engineering. It typically mimics a security alert that indicates you're infected and offers ways to clean it.

The latest variant is going mostly unnoticed because of the way its spreading... through legitimate sites such as MSNBC.com. A banner advertisement served by msn redirects, and several redirects later we end up with content served by adshuffle1.com. The URLs vary, but this seems to be the most suspicious:

/bdb/fullfrontalfation/728x90.swf

But we don't stop here. Another redirect brings us to domains hosted on 91.213.217.35. So far I've seen:

conduceability DOT com /new/users/root/file/file.exe
which has been tracked by AMaDa: http://amada.abuse.ch/?search=c88c13514cebb65a76d0429ec3879f7d

fairysm DOT com /new/show.php?key=87c1a082278ace8fdf2f63b86db29d6f&u=root

fairysm DOT com /new/2fcf333c783/7909df6ac8d.jar

karolie DOT com /new/forum.php

At some point during the infection phase, you're presented with some alarms. Just a couple screenshots of what you'll see:



Security software ThinkPoint(c) has detected the submitted suspicious file Trojan.Horse.Win32.PAV.64.a as a virus. A trial version of ThinkPoint(c) software is able to remove Trojan.Horse.Win32.PAV.64.a virus from your system.
It is installed on your computer.
Please click "Ok" to reboot and complete the installation.




What little information there is about this attack is limited to the blogging and forum communities. Some references include:

Microsoft Security Essentials is Fake
http://www.f-secure.com/weblog/archives/00002053.html

ThinkPoint Fake AV
http://www.podnutz.com/forums/viewtopic.php?f=26&p=20540

Security Alert: ThinkPoint or MSE FakeAV infection
http://www.geeksquad.com/intelligence/blog/security-alert-thinkpoint-or-mse-fakeav-infection/

How to remove ThinkPoint (Uninstall Guide)
http://deletemalware.blogspot.com/2010/10/how-to-remove-thinkpoint-uninstall.html

ThinkPoint rogue has functioning menu
http://sunbeltblog.blogspot.com/2010/10/thinkpoint-rogue-has-functioning-menu.html

If you're an administrator on your network, I suggest you just go ahead and block the IP 91.213.217.35 until the Advertisers clean this up. Even if your antivirus manages to catch this, I'm afraid of what else it might not have caught in the process and could be sitting idle.

http://www.antisource.com/article.php/fakeav-thinkpoint-banner-ads