Is this a legimate website (antivirus-360.com) ?

[kmr1684]

hi hello everyone,

when i searched in google for 360 total security i got this address hxxp://antivirus-360.com/ as a first search result, which i never seen before, because i remember when i visited the 360 website before it never look like this, but know i think they changed the address or this is a ripe of the original website. As well as contact info page total blank with only one email id : media@mycornerbar.com

website address: hxxp://antivirus-360.com/

original address for 360 is: hxxp://www.360safe.com/

ps: do not trust your good fiend (i.e. google)

 

[PVA_BR]

From VirusTotal scan: AutoShun is the only service to mark it as suspicious site. I'm forwarding it to further analysis.
Until we don't know about it's safe or not, it's better staying away of this website

 

[marg]

The site has been identified as RISKY ! 360safe.com is the main site & not this one! You might have a redirect malware on your browser. www.360safe.com is the site you want.

 

[Dima007]

hi hello everyone,

when i searched in google for 360 total security i got this address hxxp://antivirus-360.com/ as a first search result, which i never seen before, because i remember when i visited the 360 website before it never look like this, but know i think they changed the address or this is a ripe of the original website. As well as contact info page total blank with only one email id : media@mycornerbar.com

website address: hxxp://antivirus-360.com/

original address for 360 is: hxxp://www.360safe.com/

ps: do not trust your good fiend (i.e. google)

 

[PVA_BR]

To me, it does not seems legit either.
I was analysing the code of this website on my own.
I see a label named Bitdefender Internet Security that leads to a unrelated site. So, Don't trust this site.

 

[marg]

To me, it does not seems legit either.
I was analysing the code of this website on my own.
I see a label named Bitdefender Internet Security that leads to a unrelated site. So, Don't trust this site.

I just Googled it & on my PC and it did not come up with that strange site at all. This leads me to suspect he has something nasty on there.

 

[PVA_BR]

This leads me to suspect he has something nasty on there.

Fellow @kmr1684 I would suggest you to completely scan your computer for viruses. And also verify your startpage (all browsers) and your browser's plugins (all browsers too). Look for anything that you does not know or haven't explicitly installed. Have you installed uTorrent recently?

 

[PVA_BR]

@kmr1684 consider even the idea of scanning your computer with malwarebytes anti-malware.
Their official website: http://www.malwarebytes.org/

Download and install it.
Thank You

 

[Cowpipe]

Antivirus 360 is a fake security program, been around for a while actually. The domain the fake software was once hosted on now it appears, is being used to host a phishing scam. Entering any email address will simply redirect you to the BitDefender product page, the URL indicates that your email address is not actually passed on to BitDefender but captured by the page, probably to be sold on a spam list.

There are no active exploits on the page that I can find, so your computer is probably safe (not infected from this webpage anyway), if you entered your email, I would strongly advise you to change the password if it is at all obvious, short, only consisting of letters or numbers, or any combination of those risk factors.

 

[Cowpipe]

Looking in the Privacy Policy section of the site, I notice an email address "media@mycornerbar.com", a simple Google search reveals the site is linked to a fake dating website:

Link contains LIVE malware, please do not visit!!!

hXXp:www.meet-my-heart.com

The page contains multiple images which go through "linkjumps.com", a URL masking service (hides the website you're being redirected to, used to help conceal the real location of malicious servers from automated malware scanners).

We finally arrive at another site:

Link contains LIVE malware, please do not visit!!!

hxxp://xon[][][][][zz.downloa[][][][][d.downl[][][][]oadcircle.eu/?sov=62551901&hid=hpjlt[][][][[]tjrnrnrjrh&kw=5526&no[][][][][][flu=noflu&id=XNS[][][][][][][X.94256%3A%3APEERFLY

Remove the brackets to get a valid URL. Added to stop naive copy and pasters.

Immediately I get an alert box with a warning that my software is out of date. Notice the word "Javascript", no legitimate website will use this kind of alert to warn you of a software update.



Clicking either the cross or the OK button takes us back to the main site, where a click on any of the buttons will download a file called DriverUpdate.exe



In the spirit of this chance discovery, I shall analyse this malicious file for you live in my first malware analysis video on YouTube

For anyone interested, as soon as I figure out how to post to the virus exchange, I'll make the file available for download here on MalwareTips.

Learn more about this malware here: http://malwaretips.com/blogs/update-windows-7-drivers-popup-virus/

 

[Cowpipe]

For any malware-hunters, this quick Google query will bring you an additional 282 malicious websites, unfortunately I don't have time to go through them all myself right now:

These are LIVE malware sites which may include drive by downloads and exploit kits. Please exercise extreme caution and in pasting the below URL into Google, DO NOT click on any of the results!

inurl:download.downloadcircle.eu

 

[Cowpipe]

Further analysis leads me to visiting "linkjumps.com" directly, it turns out this service redirects me to one of any number of offers or promotions currently running.

One of the offers doesn't serve up any malware or viruses, but instead an advert which include my location and IP address. The page asks me to fill out a series of survey answers such as "what is your gender?", "how old are you?" and "do you use social media often?", regardless of your answers you're then told that you are eligible to receive a free android tablet (granted an old scam, but one that still fools far too many people).



Following the link I'm taken to company called NowLucky, interestingly the website has a security certificate, issued by none other than Comodo.



Proof that just because a website has a security certificate, that doesn't make it genuine Just in case you're wondering exactly how this scam works, take a look at the terms and conditions:



Back on the analysis front and after trying some more URLs, I noticed that every URL I was being redirected to ended with the following text: %3APEERFLY

For anyone not fluent in hexadecimal, 3A is code for a slash (/). I recognised the name peerfly from the dating site, in actual fact it was a peerfly url that led me to the malicious software!

Live Malware, DO NOT VISIT!!

hXXp://peerfly.com/x/0/5526/92897/sidemeet/

A search for peerfly brings up their main website, turns out they're an 'affiliate agency', check out the WOT reviews:



So it turns out that Peerfly are the company behind at least one and probably many more of the most recent internet scams. It's rare nowadays to see physical companies behind these scams, takes me back to the days of WinFixer and Innovative Marketing, who were arguably the mother of fake security software (Driver Cleaner, SpySherriff, Error Safe anyone?). Back in those days it was thought that hiding behind a company would relieve the staff of any personal liability for damage done, thankfully as the mother of WinFixer (Kristy Ross) found out recently, it seriously doesn't , see http://www.business.ftc.gov/blog/2014/02/court-appeals-upholds-win-consumers-winfixer-case if you're interested for a catch up on the case.

Anyway I hope you found my first official 'multi-part' investigation at least mildly interesting, I certainly enjoyed it If you liked that, then with a bit of luck you'll love my Malware videos, coming soon to YouTube (shameless advertising Cowpipe, shameless)

I'm sizing up @Malware1 title of "Malware Hunter" . . .

 

[Cats-4_Owners-2]

This was quite head spinning!
When first I saw the 'hxxp', those double XXs brought to the imagination visions of pirates, poisons, and a popular Mexican Beer with corresponding XXs. Even when something's all bad, at least we can imagine a beer at the end of the rainbow!
Thanks for all the info too which was quite a fascinating cautionary narrative, and similar (on a very real level) to heeding the warning from Disneyland's Pirates of The Carribean, "Ye'd best consider turning back before it be too late!"

 

[Cowpipe]

This was quite head spinning!
When first I saw the 'hxxp', those double XXs brought to the imagination visions of pirates, poisons, and a popular Mexican Beer with corresponding XXs. Even when something's all bad, at least we can imagine a beer at the end of the rainbow!
Thanks for all the info too which was quite a fascinating cautionary narrative, and similar (on a very real level) to heeding the warning from Disneyland's "Pirates of The Carribean" We best consider turning back before it be too late!

Haha You always have such an original take on things Cats-, it's the perfect combination of amusing and refreshing. Honestly I think you should just hire out a room, sit in the corner and talk for hours. Charge people twenty bucks a time to come in and listen to you for ten minutes, and within no time at all you'll find yourself being prescribed as a cure for everything from depression to plain boredom

 

[kmr1684]

hi, Cowpipe, thanks for your research and time you had spend to find out each and every thing, first i am not infected because i am using sandboxie whenever i surf, second i never given any email id, thanks for all those live malware so that i can check my seriousness of my anti-v and uncle-v&m.

and for the rest of the other people taken time to check and responded thanks for it sincerely.

 

[kmr1684]

Looking in the Privacy Policy section of the site, I notice an email address "media@mycornerbar.com", a simple Google search reveals the site is linked to a fake dating website:

Link contains LIVE malware, please do not visit!!!

hXXp:www.meet-my-heart.com

The page contains multiple images which go through "linkjumps.com", a URL masking service (hides the website you're being redirected to, used to help conceal the real location of malicious servers from automated malware scanners).

We finally arrive at another site:

Link contains LIVE malware, please do not visit!!!

hxxp://xon[][][][][zz.downloa[][][][][d.downl[][][][]oadcircle.eu/?sov=62551901&hid=hpjlt[][][][[]tjrnrnrjrh&kw=5526&no[][][][][][flu=noflu&id=XNS[][][][][][][X.94256%3A%3APEERFLY

Remove the brackets to get a valid URL. Added to stop naive copy and pasters.

Immediately I get an alert box with a warning that my software is out of date. Notice the word "Javascript", no legitimate website will use this kind of alert to warn you of a software update.



Clicking either the cross or the OK button takes us back to the main site, where a click on any of the buttons will download a file called DriverUpdate.exe



In the spirit of this chance discovery, I shall analyse this malicious file for you live in my first malware analysis video on YouTube

For anyone interested, as soon as I figure out how to post to the virus exchange, I'll make the file available for download here on MalwareTips.

Learn more about this malware here: http://malwaretips.com/blogs/update-windows-7-drivers-popup-virus/

For any malware-hunters, this quick Google query will bring you an additional 282 malicious websites, unfortunately I don't have time to go through them all myself right now:

These are LIVE malware sites which may include drive by downloads and exploit kits. Please exercise extreme caution and in pasting the below URL into Google, DO NOT click on any of the results!

inurl:download.downloadcircle.eu

all these redirecting leads to blank page saying not found in this server, this may happens due to i am using noscript to block all the script in the webpage when its loading, so noscript provides me one extra layer of protection.

ps: when i load the address it display this address hxxp://sslredirservice.com/?sov=65329701&id=noid&hid=eqkeoggkgugue&tov=&v=&noexpand=1&alert=1&audio=1&pop=1.
and funny thing is address bar having this address:hxxp://download.downloadcircle.eu/sslredir.html
and utimately redirects to another address: hxxp://sslredirservice.com/?sov=65329701&id=noid&hid=bjjldbfhdrdrb&tov=&v=&noexpand=1&alert=1&audio=1&pop=1

please see the below foto

 

[Cowpipe]

all these redirecting leads to blank page saying not found in this server, this may happens due to i am using noscript to block all the script in the webpage when its loading, so noscript provides me one extra layer of protection.

ps: when i load the address it display this address hxxp://sslredirservice.com/?sov=65329701&id=noid&hid=eqkeoggkgugue&tov=&v=&noexpand=1&alert=1&audio=1&pop=1.
and funny thing is address bar having this address:hxxp://download.downloadcircle.eu/sslredir.html
and utimately redirects to another address: hxxp://sslredirservice.com/?sov=65329701&id=noid&hid=bjjldbfhdrdrb&tov=&v=&noexpand=1&alert=1&audio=1&pop=1

please see the below foto

sslredirservice.com is a browser hijacker, it looks like you might have been infected by a virus The malicious links above actually have nothing to do with sslredirservice.

Just to be safe and for my own peace of mind, would you mind downloading Hijackthis from here: http://sourceforge.net/projects/hjt/files/latest/download
Click the option to produce a log and at the end a text file will appear, if you could post back and copy and paste the contents into your post so I can check that you aren't infected

I would also advise that you download and run MalwareBytes Anti-Malware from here https://www.malwarebytes.org/mwb-download/

Run and clean any infections, and let me know how that goes. Will post some more details soon, a little busy atm

 

[kmr1684]

ok first i will say thanks for your concern about i got infected, second i using my sandboxed webbrowser to surf these websites, after closing the browser sandboxie will delete all the files automatically, because i set it like that so my real system never get infected everything will be in sandbox only after browsing session ended everything will be deleted automatically. so i think i explained correctly how i save myself when i browsing the web. first sandboxed webrowser, second noscript (don't load all the webpage only selected), delete all the traces of browsing imminently and securely as fast as i can, or else i will use shadowdefender to virutalise my whole system, after reboot no changes to system. so please do not worry about the infected i will always get infected now and then when i try something stupid enough to test some applications. so every time i will keep my system clean and safely.

 

[Cats-4_Owners-2]

Haha You always have such an original take on things Cats-, it's the perfect combination of amusing and refreshing. Honestly I think you should just hire out a room, sit in the corner and talk for hours. Charge people twenty bucks a time to come in and listen to you for ten minutes, and within no time at all you'll find yourself being prescribed as a cure for everything from depression to plain boredom

Thank you, Cowpipe. I'd *Laughed* heartily at the image conjured from your own unique & curative humor! ...still *giggling*.

sslredirservice.com is a browser hijacker, it looks like you might have been infected by a virus The malicious links above actually have nothing to do with sslredirservice.

Just to be safe and for my own peace of mind, would you mind downloading Hijackthis from here: http://sourceforge.net/projects/hjt/files/latest/download
Click the option to produce a log and at the end a text file will appear, if you could post back and copy and paste the contents into your post so I can check that you aren't infected

I would also advise that you download and run MalwareBytes Anti-Malware from here https://www.malwarebytes.org/mwb-download/

Run and clean any infections, and let me know how that goes. Will post some more details soon, a little busy atm

Here, in addition to being both supportive and helpful, your concern had already harvested a reply from kmr1684 more quickly than I was able to finish typing this! Your instructions, and willingness to follow up, deem you worthy of wearing an MT logo centered upon your cape & thoughtfully embroidered upon the front of your tights for all to behold each time you enter MalwareTips' Hall of Justice, high upon Mount Olympus.

In all sincerity, Well Done!

 

[kmr1684]

Thank you, Cowpipe. I'd *Laughed* heartily at the image conjured from your own unique & curative humor! ...still *giggling*.



Here, in addition to being both supportive and helpful, your concern had already harvested a reply from kmr1684 more quickly than I was able to finish typing this! Your instructions, and willingness to follow up, deem you worthy of wearing an MT logo centered upon your cape & thoughtfully embroidered upon the front of your tights for all to behold each time you enter MalwareTips' Hall of Justice, high upon Mount Olympus.

In all sincerity, Well Done!

Your instructions, and willingness to follow up, deem you worthy of wearing an MT logo

thanks this is the words i really looking upon to express about cowpipe work, but your are really said my thoughts in really good and best possible way. once again thanks for that. i really liked it.