The Latest in IT Security

Eastern Europe malware trip to connect PC and Mac fake AV

04
Jun
2011

It all started with a fake Firefox installer from: firefox.dl-networks.in/firefox_4.0.1.exe

This is a server located in the Ukraine, running Apache/2.2.17.

Firefox 4 is indeed the latest version of the browser:

Except the bad guys got the icon wrong… this one is for CCleaner. Here is the VirusTotal report (8/43).

Upon installation the malware connects to:

178.17.164.6/i.php?affid=41221&data=…..

This time we are off to the Republic of Moldova:

We all know where this is going, right ;-)

Rogue AV FTW!

Let’s go back to the IP where the remote connection was made to: 178.17.164.6

Here is some background information:

43289 | 178.17.160.0/20 | TRABIA | MD | STATIC-HOST.NET | I.C.S. TRABIA-NETWORK S.R.L.

Trabia Network is a hosting company from Moldova. They have their own Facebook page:

But what is more interesting, is the connection with the recent wave of Mac Malware. There is a very long forum thread going on about people saying they were infected with “Apple Security Center”:

Let’s zoom in on the URL:

That’s right, it looks like the same IP range.

Conclusion: the same guys who serve fake AV for the PC are also doing it for the Mac.

Jerome Segura

Leave a reply


Categories

SATURDAY, JULY 31, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments