botnets  

Re: [botnets] fake AV (malicious) sites

Tom Mortimer
Fri, 29 Aug 2008 09:07:42 -0700

Colleagues,

Following on from Simon's information I thought that the article at  
http://newsletter.itpro.co.uk/c/1E3jXA3MZt1jPm5wN was an interesting of the 
scale and nature of this problem.

Tom.

 
>>> "Desai, Ashish" <[EMAIL PROTECTED]> 08/28/08 3:00 PM >>> 
Hi All,

To detect if your customers/employees are infected,
check the HTTP useragent string in your web logs and proxy logs 
for the following new tokens that this thing adds to a machines existing
useragent string

        AntivirXP08
        3P_UVRM
        3P_UASE
        3P_PCPC
        3P_UPCPC
        3P_UAMG

Example:
        Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08)



One problem is that some AV engines clean the machine but do not remove
these tokens so you could have
some false positives of whether a machine is still infected. However you
can definitly infer that the
machine was infected at somepoint.

Thanks
Ashish Desai
Internet Channel Security
Fidelity Investments

----- Original Message-----
From: botnets- [EMAIL PROTECTED]
[mailto:botnets- [EMAIL PROTECTED] On Behalf Of Gadi Evron
Sent: Wednesday, August 27, 2008 7:54 PM
To: botnets@whitestar.linuxbox.org
Subject: [botnets] fake AV (malicious) sites

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
bestantivirus2009 com

iframe with exploits: huytegygle com/index.php <-- script
huytegygle com/bin/ file.exe

This information is from:
http://sunbeltblog.blogspot.com/2008/08/xp- antivirus- 2008- now- with- sploi
ts.html

Lots of Fake AV sites.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law
enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets


_______________________________________________
botnets@, the public's dumping ground for maliciousness
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets


The University of Dundee is a registered Scottish charity, No: SC015096
_______________________________________________
botnets@, the public's dumping ground for maliciousness
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets