Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Skype Worm Variant Targets Other Instant Messaging Clients | Main | Anti-Spyware Coalition - June 2007 Public Workshop »

  • Rogue Security Applications Being Pushed On Myspace

If you happened to open up certain profiles on Myspace these past few days, you'd have the misfortune of seeing the following appear in the middle of your screen:

http://blog.spywareguide.com/upload/2007/06/myspaceremove1-thumb.jpg
Click to Enlarge

That's a vaguely scary thing to have appear on a Myspace profile, because you just know it's going to be pressed a ridiculous amount of times. Upon downloading the file, if the user runs it, when using Internet Explorer they'll see some of the below sights:

http://blog.spywareguide.com/upload/2007/06/myspaceremove2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/06/myspaceremove3-thumb.jpg
Click to Enlarge

Of course, no hijack like this would be complete without some fake Taskbar warnings, right?

myspaceremove4.jpg


myspaceremove5.jpg

If you click on either the popups or the hijacked IE banner you're taken to a site called Antispysolutions.com:

http://blog.spywareguide.com/upload/2007/06/myspaceremove6-thumb.jpg
Click to Enlarge

Time for a quick detour. Here's some coverage of one of the programs, Spy Away, from March of this year. Have a look at the fake "detection" in the detections box - note that it simply says "Sistray.exe". Apparently the application and / or site vanished for a while. Well, fast forward to the present day and if you download and run the executable, you'll see a very interesting difference:

http://blog.spywareguide.com/upload/2007/06/myspaceremove7-thumb.jpg
Click to Enlarge

...the application claims to "detect" 180 Solutions (Zango), along with a few other items. This is done by downloading some "dummy" files that the scanner then magically finds. The files themselves don't do anything as far as we can tell apart from sit there and feed the results of the scanner - of course, they aren't legitimate Zango executables. Here's a screenshot of some of the files deposited onto the PC:

http://blog.spywareguide.com/upload/2007/06/myspaceremove8-thumb.jpg
Click to Enlarge

Myspace users would do well to give these so-called security applications a miss. This particular install works best on Windows 2000 - if the user is on XP, there's a good chance nothing will happen. Thanks to LoLo for the tipoff.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/178


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.