Fake AV: .ru sites used for redirections

[Prorootect]

.
Fake AV: .ru sites used for redirections topic here ..

Fake AV: .ru sites used for redirections : on zscaler.com : http://research.zscaler.com/2012/02/fake-av-ru-sites-used-for-redirections.html

QUOTE:
'This past month, I've seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases:

1.The hijacked website redirects users coming from a Google search to an external domain.
2.A website redirects users to the Fake AV page or to a harmless site (mostly bing.com and google.com) depending upon the referer in step #1. This page adds a cookie using JavaScript, and reads it immediately, to make sure the page was accessed by a real browser that supports both JavaScript and cookies.
3.The fake AV page is delivered.' ..

 

[Jack]

The guys from Websense reported that almost 200.000 web pages are compromised to serve rogue software.
Browser addons like NoScript could help if your AV can't detect the fake AV.

200,000 Webpages Compromised to Lead Visitors to Fake AV Sites
the past couple of months mass infections were not uncommon and now security experts believe they stumbled upon another one. Websense found that 30,000 unique websites are currently compromised to redirect their visitors to sites that promote shady antivirus software.

A total of 200,000 webpages, part of the 30,000 sites, have been compromised, apparently the campaign being designed to target mostly ones hosted by the WordPress content management system.

After multiple redirects, victims are taken to a website that performs a fake scan, pointing out a large number of infections and threats that affect the system. The scan is designed to appear as if it takes place in a Windows Explorer window, but in reality it’s nothing more than a webpage that’s cleverly set up to dupe users.

When the scan is complete, the user is urged to install an antivirus tool that would allegedly remove the pieces of malware. However, the antivirus installer is nothing more than a Trojan that once installed can give its master complete control over the infected machine.

Read more

 

[jamescv7]

Its likely the fact is .ru domain is the most used for redirections and majority for malicious purposes.

From some of the pie chart .ru remains to got huge percentage when its all about malicious websites.

 

[Prorootect]

Its likely the fact is .ru domain is the most used for redirections and majority for malicious purposes.

From some of the pie chart .ru remains to got huge percentage when its all about malicious websites.

Yeah, this is the sad truth, what you say about this .ru domains spreading the malwares ..


Look only at these links, please:

* Who Is Responsible For Malware On U.S.-based Servers : by SecureHomeNetwork.blogspot.com: http://securehomenetwork.blogspot.com/2010/03/who-is-responsible-for-malware-on-us.html - this read puts things right! Thank you very much James McQuaid ..



QUOTE:
'Jeffrey Carr at IntelFusion has an interesting article "Imagine if Russia or China announced a formal policy of using non-state actors in cyber deterrence"

He notes that, "Many other nations in the world community see the U.S. in a more negative way already because 20 of the world’s top 50 worst ISPs for serving malware operate in the United States. This creates the illusion that the US is responsible when in fact foreign actors use US servers to mask attribution and, as a side benefit to them, feed anti-US sentiment. This strategy seems to be working according to the McAfee report “In the Crossfire” (.pdf), which surveyed “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”. According to the report, the U.S. is seen as the “most worrisome potential aggressor”." '

'As you can see, Russian and Ukrainian criminals are overwhelmingly responsible for the distribution of malware at The Planet':

Malware the Planet '2010 infection:

Damage Index by Actor Nationality:

Yes, a picture is worth 1000 words.

* EstDomains: A Sordid History and a Storied CEO : by Brian Krebs : http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html

* Who's Behind the Koobface Botnet? - An OSINT Analysis : by Dancho Danchev on ddanchev.blogspot.com : http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html

Anton - Koobface Botnet master:

Yeah, Anton too:

* Russian Business Network (RBN) description on emergingthreats.net : http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork - thank you James McQuaid ..

* Honeywall Samples Hosts: on emergingthreats.net : http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts
.