Bot-watching 2

10 Apr 2009

minute read

Authors

Alexander Gostev

We just described what happens on Kido controlled machines when the spambot Iksmas is installed and launched. However, Kido is also downloading a fake antivirus named SpywareProtect2009. Owners of infected computers can see the effects of the SpywareProtect2009 activity.

This is what happens: the fake antivirus starts to show messages every couple of minutes about purported infections as it supposedly ‘detects’ viruses, network attacks, browser issues and so forth:

This fake AV is so annoying that there is a significant probability that innocent users will click on the offer to pay for disinfection – and thus will be defrauded of almost 50 USD. What is worse, their credit card details might also be harvested – with all sorts of nightmarish results.

In addition to launching numerous messages about infections, SpywareProtect2009 attempts to install a Trjoan-Downloader.Wind32.Fraudload.ecl onto the system. This downloader is programmed to download new versions of SpywareProtect2009. Variant .ecl is downloading these versions from alsterstor.com.

We have notified the registrar of this domain zone and the site was closed down within 20 minutes.

Authors

Alexander Gostev

Bot-watching 2

Latest Posts

Latest Webinars

Reports

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Bot-watching 2

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

Zcash, or the return of malicious miners

IT threat evolution in Q1 2016

Adwind: FAQ

Agent.btz: a Source of Inspiration?

Kaspersky Security Bulletin 2013. Forecasts

What does ChatGPT know about phishing?

Nokoyawa ransomware attacks with Windows zero-day

Overview of Google Play threats sold on the dark web

The Telegram phishing market

Business on the dark web: deals and regulatory mechanisms

Latest Posts

Satacom delivers browser extension that steals cryptocurrency

In search of the Triangulation: triangle_check utility

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

Latest Webinars

Cyberthreats to modern automotive industry

Applying ATT&CK to analyze ransomware campaigns

Ransomware trends in 2023

Cryptocurrency Threat Landscape Trends in 2023

Reports

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

CloudWizard APT: the bad magic story goes on

APT trends report Q1 2023

Subscribe to our weekly e-mails