Friday, April 10, 2009

W32.downadup.e and rogue AV

I was looking for info about Downadup.E (conficker.c updated release) and I used one of the easiest keyword that probably may be used for make some research with Google:


The result of this simple query it was the following:


Google show up some interesting URL in the top ranking result and in ad space:


The red points (shown in the pictures) show you warning level generated by WOT Addons for Firefox that informs for suspicious content or malicious web site. In this case a downadup.e remover web site is marked as potentially dangerous. So, to assess the response offered by WOT it's better try to do a more deeply investigation. Let's to start analyze the suspicious URL (hosted by hZZp://www.precisesecurity.com) that is reported in pictures above. From the Netcraft point of view are obtained this details:


While from the perspective of robtex.com for "autonomous system addicted people":



The IP address obtained from robtex is founded in some black list provider such as http://www.malwaredomains.com/, where is marked as a place where are hosted scam and malware spreading web site. In particular in this case the website spread a rogue antivirus. Is very important note that the second site suggested by Google (the second pictures of this post) is a not so good web site. The following screenshot show the WOT forum where is reported this rogue antivirus spreading web site:


WOT Addon

Regards

No comments:

Post a Comment