It all started with a fake Firefox installer from: firefox.dl-networks.in/firefox_4.0.1.exe
This is a server located in the Ukraine, running Apache/2.2.17.
Firefox 4 is indeed the latest version of the browser:
Except the bad guys got the icon wrong… this one is for CCleaner. Here is the VirusTotal report (8/43).
Upon installation the malware connects to:
178.17.164.6/i.php?affid=41221&data=…..
This time we are off to the Republic of Moldova:
We all know where this is going, right 
Rogue AV FTW!
Let’s go back to the IP where the remote connection was made to: 178.17.164.6
Here is some background information:
43289 | 178.17.160.0/20 | TRABIA | MD | STATIC-HOST.NET | I.C.S. TRABIA-NETWORK S.R.L.
Trabia Network is a hosting company from Moldova. They have their own Facebook page:
But what is more interesting, is the connection with the recent wave of Mac Malware. There is a very long forum thread going on about people saying they were infected with “Apple Security Center”:
Let’s zoom in on the URL:
That’s right, it looks like the same IP range.
Conclusion: the same guys who serve fake AV for the PC are also doing it for the Mac.
Jerome Segura
Leave a reply
