NEWS FROM THE LAB - Monday, November 17, 2008

VirusResponse Lab 2009 Posted by Sean @ 16:24 GMT

Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.

Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.

404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:

FraudTool.Win32.Agent.eh 404dnswebsite.com

If the victim fell for the trick, they would have downloaded what we detect as FraudTool.Win32.Agent.eh.

As you can see from the screenshot above, the fraud page is not at all dynamic. Even though we opened the page with Firefox on a Linux based system, the page displays the text "Internet Explorer".

The 404dnswebsite account is now suspended.