MoonPoint Support Weblog

Redirection to Rogue rr.nu Site

While searching for a power adapter, I found a link for the part number of the power adapter for which I was searching that redirected me to www2.smartouholder.rr.nu. That site displayed a fake virus scan (see image), which reportedly was finding malware on the system from which I was searching, but was really just a ruse to try to lure unsuspecting users into buying rogue antivirus software, i.e., scareware. If I tried to navigate away from the site, I would receive a "Are you sure you want to navigate away from this page?" message.

Scareware - are you sure

No matter which option I selected from "OK" or "Cancel", I was left at the scareware webpage. After finally getting back to a prior Google search page, I checked the site's reputation at Norton™ Safe Web. It did not list the site www2.smartouholder.rr.nu, stating it had not been tested yet, but it did list rr.nu.

Norton Safe Web reported the following for the rr.nu site:

rr.nu

Summary

•Computer Threats:
1

•Identity Threats:
0

•Annoyance factors:

0

Total threats on this site:
1

•Community Reviews:

5

Norton Safe Web listed "Drive-By Downloads" as the threat from the site.

After I was able to navigate away from the site, I added an entry to the /Windows/system32/drivers/etc/hosts file to ensure that the system would not be able to contact the site again. I put the following 2 lines at the bottom of that file:

# Inserted on 2012-01-29. Site is attempting to download rogue antivirus software 127.0.0.1 www2.smartouholder.rr.nu

When a Windows system attempts to find an IP address for a website name, such as www.example.com, it will first check the hosts file to see if an IP address is listed there for the fully qualified domain name. If not, then it will perform a Domain Name System (DNS) query to obtain the IP address associated with the name. By associating the name with 127.0.0.1, which is the loopback address for the local system, you can ensure that a system on which the entry has been put in the hosts file will see the name as pointing to its own address and thus will never be able to reach the actual site.

Note: if you edit the hosts file with the Windows Notepad editor, be sure you save the file as hosts, not hosts.txt. The file may be marked as read-only, also, so in order to save the file. you will need to take off the read-only attribute temporarily and put the attribute back on after you have saved the file. You can do so by right-clicking on the hosts file, choosing Properties and unchecking the read-only attribute. Or you can use the following two commands from the command line to take the attribute off the file and put it back on after you've edited the file.

attrib -r C:\Windows\System32\drivers\etc\hosts attrib +r C:\Windows\System32\drivers\etc\hosts

You will need to run the commands from an administrator account to do so. You will also need to run Notepad from an administrator account to edit the file. If you are logged in as another user, you can use the "runas" command from the command line to run Notepad or the attrib command from the administrator account.

E.g., you can use runas /user:administrator cmd to open another command prompt under the administrator account to run the attrib commands or runas /user:administrator notepad to run Notepad from the administrator account. Alternatively, for the attrib command you could use runas /user:administrator "attrib -r C:\Windows\System32\drivers\etc\hosts". If you are using a domain administrator account you would use runas /user:domainname\administrator.

[/security/malware] permanent link

Tue, Dec 27, 2011 6:14 pm

Tue, Nov 15, 2011 10:40 pm

Sun, Nov 13, 2011 10:45 am

PC Tools Alternate Opeating System Scanner (AOSS) version 2.0.5

PC Tools free Alternate Operating System Scanner allows you to boot a Microsoft Windows system with an alternate operating system on a CD. You can then scan the system for viruses from the CD, though I've found the utilitity of its anti-virus scanner to be very limited.

When I tried the virus scanning feature on a Dell Dimension 4550 PC that had Windows XP Home installed on the hard drive, the scanner didn't seem to be very effective, completing the scan in only 8 seconds and checking only 738 files out of the hundreds of thousands of files that existed on the Windows partition of the hard drive I scanned.

Total malware files:	0
Total files:	738
Scan time:	8 seconds

The CD comes with a file manager that will allow you to access directories and files on your Microsoft Windows partitions on the hard drive. It also has "Disk Detonator", which will allow you to destroy partitions on the hard drive, if you wish.

You can get a shell prompt by choosing "System Shell" from the main menu, which will give you an ash shell provided via BusyBox, but the AOSS CD is lacking in standard Linux command line utilities. There is no scp nor ftp for transferring files over the network to another system. There is no links nor lynx one might use to access a web server to download or upload files. Wget and curl are also missing as are the standard network utilities such as ifconfig and netstat.

When I checked the contents of /proc/version, I saw that AOSS uses Ubuntu GNU/Linux for the operating system.

Linux version 2.6.39.4 (www-data@steve-aoss-ubuntu) (gcc version 4.4.1 (Ubuntu 4
.4.1-4ubuntu9) ) #1 SMP PREEMPT Mon Oct 31 11:26:05 EST 2011

References:

Bootable Antivirus and AntiSpyware Software AOSS | PC Tools
Free AntiVirus & AntiSpyware Software | PC Tools
PC Tools Alternative Operating System AOS Freware Virus Scanner
Date: May 27, 2010
Free Antivirus Help Blog | Your source for the latest antivirus news and antivirus reviews

[/security/antivirus/pctools] permanent link

Sat, Nov 12, 2011 1:49 pm

Avira AntiVir Rescue System 3.7.16

The antivirus vendor Avira offers a free rescue CD which allows you to boot a system that runs Microsoft Windows from a Linux rescue CD that contains Avira's antivirus software. The Avira AntiVir Rescue System can be used in cases where a system is so badly infected it won't boot into Microsoft Windows properly or when the system runs abysmally slowly due to malware present on the system.

The Avira AntiVir Rescue System v3.7.16 uses ISOLINUX to boot from the CD. It appears to be based on Debian GNU/Linux judging by the contents of /etc/proc/version.

root@RescueSystem:/# cat /proc/version
Linux version 2.6.35.1 (cgossenberger@lx-i386-gc236) (gcc version 4.1.2 20061115
 (prerelease) (Debian 4.1.1-21)) #1 SMP Thu Aug 12 13:33:53 CEST 2010

At the AntiVir Rescue System download page, you can download an iso file from which you can burn a CD, if you already have CD burning software that can write ISO files to CDs, or you can download an exe file from the Avira download page and use it to create a bootable rescue CD containing the Avira antivirus software.

When I scanned a system with an Avira AntiVir Rescue System CD today, which I had previously scanned with 5 other rescue CDs and 3 antivirus/antispyware programs within Microsoft Windows, the Avira antivirus software still found 2 remaining infected files.

Avira / Linux Version 1.9.152.0

Statistics:
Directories...........: 15710
Archives..............: 3143
Files...............: 312237
Infected...........: 2
Renamed...........: 2
Warnings............: 3
Suspicious..........: 0
Infection.............: 2

Avira puts a .vir extension on infected files it renames. So if an infected file was named badfile.avi, when it is renamed it will be badfile.avi.vir.

When the scan completed, I saved the results of the scan in rescue-system_scan.log, which I was able to transfer to another system with scp.

You can get a shell prompt by hitting Ctrl-Alt-F2 or selecting "Miscellaneous" from the GUI interface and then selecting "Command line". You can return to the GUI interface by hitting Alt-F7.

I hit Ctrl-Alt-F2 to get a shell prompt and used scp to transfer the log file to another system.

[/security/antivirus/avira] permanent link

Fri, Nov 11, 2011 10:35 pm

Wed, Sep 21, 2011 10:40 pm

Sun, May 08, 2011 10:38 pm

Wed, Mar 30, 2011 11:59 pm

Sun, Oct 03, 2010 10:37 pm

Scan of Windows XP System on 2010-10-03 with Verizon Internet Security Suite

I ran a scan of a Windows XP Service Pack 2 system with an up-to-date version of Verizon Internet Security Suite on 2010-10-03. The software, which states it is "Powered by McAfee" reported the following:

During the full scan, McAfee detected one item that requires your attention. View the scan details to fix this issue now.

Results
Items Scanned: 324912
Items Detected: 88
Items Fixed: 87
Items Remaining: 1

Potentially Unwanted Programs Adware-Url.gen

Files Affected
C:\Program Files\Free Offers from Freeze.com\afactory.url
C:\Program Files\Free Offers from Freeze.com\bingocafe.url
C:\Program Files\Free Offers from Freeze.com\gamepipe.url
C:\Program Files\Free Offers from Freeze.com\gifart.url
C:\Program Files\Free Offers from Freeze.com\graflatscreen.url
C:\Program Files\Free Offers from Freeze.com\pcpowerscan.url
C:\Program Files\Free Offers from Freeze.com\spcasino_sep.url

I chose to have Verizon Internet Security Suite quarantine the files. When I checked on what else it had found, I found it reporting it had quarantined an instance of Spy-Agent.bw!zip, which it found in a file, bill.zip, that it found at C:\Documents and Settings\Jeanne\My Documents\Email\Embedded\bill.zip, i.e., it appeared to have quarantined an attachment to an email message. There was no indication that the file had actually led to any infection of the system, just that a zip file containing the malware had been detected. The webpage for that malware contained a link to a McAfee webpage Spy-Agent.bw, which indicated McAfee first discovered that malware on August 20, 2007.

The scan also found a lot of cookies wich the antivirus program deleted, but I consider those fairly innocuous.

[/security/scans] permanent link

•Computer Threats:		1
•Identity Threats:		0
•Annoyance factors:		0

Total threats on this site:		1

•Community Reviews:		5

Sun, Jan 29, 2012 7:59 pm