It all started with a fake Firefox installer from: firefox.dl-networks.in/firefox_4.0.1.exe
This is a server located in the Ukraine, running Apache/2.2.17.
Firefox 4 is indeed the latest version of the browser:
Upon installation the malware connects to:
This time we are off to the Republic of Moldova:
We all know where this is going, right
Rogue AV FTW!
Let’s go back to the IP where the remote connection was made to: 220.127.116.11
Here is some background information:
43289 | 18.104.22.168/20 | TRABIA | MD | STATIC-HOST.NET | I.C.S. TRABIA-NETWORK S.R.L.
Trabia Network is a hosting company from Moldova. They have their own Facebook page:
But what is more interesting, is the connection with the recent wave of Mac Malware. There is a very long forum thread going on about people saying they were infected with “Apple Security Center”:
Let’s zoom in on the URL:
That’s right, it looks like the same IP range.
Conclusion: the same guys who serve fake AV for the PC are also doing it for the Mac.
Leave a reply