This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/FakeAV-CLJ

Hi there,

here's more information:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavclq.html

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavclj.html

Just in case I have blocked already 91.217.162.99 which should be repoiury.com even though the site was already taken down by authorities i guess. 

Are there any honeypot operators in here who could tell the source of this malware? We get swamped with it and I would like to have the sites blocked from where it originates.

Thanks for any insight given. I appreciate it.

Edit

Sophos blocked files with the following names/keywords:

%random%.htm

bugguardpc.htm
coverlightswitch.htm
annefrankbio.htm
blocklightreach.htm

GandhiAntivirus.htm

:9567


This thread was automatically locked due to age.
  • KingSecuritySoft.htm

    King-Security-Soft.htm

    Remove-Anti-Malware.htm

    Antiineuervirusgo.htm

    AntiiAntivirusGoe.htm

    CommandAntiVirus.htm

    Protection-Free.htm

    :9703
  • Thanks for the info. We get as many as 30 detections (with auto-deletion) per day. Seems as they've taken over the FakeAV business. Any other people in here who see FakeAV-CLJ in their environment?

    :9837
  • Today's htm files:

    anti-m-alvare.htm

    anti-alvare.htm

    AntiVirusToolsPlus.htm

    Support-Easy.htm

    Anti-M-Office.htm

    Antivirus-Microsoft-Cooperation.htm

    SelfDefenseOpen.htm

    Protection-Free.htm

    Antimalvare.htm

    AntiMOffice.htm

    :9845
  • Here's a new hint:

    11:07:41 -> detection of anti-m-alware.htm (FakeAV-CLJ)

    11:08:21 -> detection of AntiSpyWareSetup.exe (FakeAV-IS)

    :9857
  • Just found another payload .EXE linked to FakeAV-CLJ: freesystemscan.exe detected as Sus/Corrupt and at the same time there is also a FakeAV-IO detection. Unfortunately SEC3.1 doesn't always show path and filenames so I don't know if FakeAV-IO is the same file as Sus/Corrupt. I would love to collect samples, but I don't have the time to create and manage a new policy and push them down to 1000s of clients and then remote in, disable Sophos )n-Access and FTP it. I'm glad 9.5 has sample collection as a feature even though this is only for unknown HIPS files. Or does Sophos 9.5 also send samples of _known_ malware to the labs in order to improve detection? In this case it would be helpful.

    :9863