Re: Rogue site?



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i9qqk602v0g@xxxxxxxxxxxxxxxxxxxx
From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:i9qlb002rtm@xxxxxxxxxxxxxxxxxxxx
From: "HarryHydro" <harryhydro@xxxxxxxxxxx>

| I had a popup with the scanning and finding virus's thing. Then a
| popup to download a file, packupdate107_2029.exe from
| www1.riseonengine1.in . I figured it was fake but I ended that
task
| anyway, without clicking anything. I think I got lucky on this
one.
| However, this website doesn't appear to be in DNS, also has no
hits
in
| google. The name of this file is all over..
| Harry

Yes Harry, it was a Rogue anti malware scam site. Often these sites
exist for only a day
or so and are provided through a general redirection site that are
spammed or otherwise
"presented" to you.

An example of a spammed redirection site; better-web-365.com

| The last four or five I saw were all initially from the cz.cc domain
| (free domain names).

Redirection sites or the rogue host sites ?

I don't know really, I stopped invenstigating. I assume it is the
hosting site.

http://hostphotofree.com/?bookmark=21822

Another redirection site; netresults-online.com

Some other similar ones.

http://hostphotofree.com/?bookmark=21823

http://hostphotofree.com/?bookmark=21824

Osfuscated script snippet from that last one:

function
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ(rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ){/*dfffddfd*/var
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ=6952;return
"rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";};
var
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ="rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";


var v89d795qo81UsWyHr9X8isuTOJa6pKCnw="e
rav\"{=krdsarvlmwslaf:\"uqt\",ef:\"cmfr\",eslafoceqrwaf:\"akr\",eslkxbacteslaf:\"mil\",:\"pgchm,eslafthgwhv\"\"pkjypl\",1-:\"afhyo
vid<\":ssalctnec\"\\=nallaram_gnid>\"\\nilc
vid<\"\\=ssalartnecidnaltfel_gn=di \"\\rtnec\"\\nallael_gnid<>\"\\tfalc
vid\"\\=sslartnecnidnal_tfel_g<>\"\\1alc
vidl\"\\=ssoci_tfe\"\\1_nvid/\\<> vid<>\\=ssalctnec\"dna...


....I think two layers of obfuscation, but I'm not sure - there is an
html file and an extensionless file with html content in addition to the
script.

<title>S&#101;curity Analysis</title>


.