Friday, April 10, 2009

W32.downadup.e and rogue AV

I was looking for info about Downadup.E (conficker.c updated release) and I used one of the easiest keyword that probably may be used for make some research with Google:

The result of this simple query it was the following:

Google show up some interesting URL in the top ranking result and in ad space:

The red points (shown in the pictures) show you warning level generated by WOT Addons for Firefox that informs for suspicious content or malicious web site. In this case a downadup.e remover web site is marked as potentially dangerous. So, to assess the response offered by WOT it's better try to do a more deeply investigation. Let's to start analyze the suspicious URL (hosted by hZZp:// that is reported in pictures above. From the Netcraft point of view are obtained this details:

While from the perspective of for "autonomous system addicted people":

The IP address obtained from robtex is founded in some black list provider such as, where is marked as a place where are hosted scam and malware spreading web site. In particular in this case the website spread a rogue antivirus. Is very important note that the second site suggested by Google (the second pictures of this post) is a not so good web site. The following screenshot show the WOT forum where is reported this rogue antivirus spreading web site:

WOT Addon


No comments:

Post a Comment