Got Your XPShield up and Running?

Don’t. Continuing previous posts with three different portfolios of fake security software, and Zlob malware variants posing as video codecs, the rogue security application XP Shield is the latest addition to the never ending list, with the following domains participating in the campaign :


The detection rates for the time being :

Scanners result : 1/32 (3.13%)
File size: 517632 bytes
MD5…: 99c7271ac88edc56e1d89c9f738f889c
SHA1..: 3347564017d289ffd116f70faa712e05883358f4

Scanners result : 4/32 (12.5%)
File size: 65024 bytes
MD5…: ef9024963b1d08653dcc8d8b0d992998
SHA1..: 436bf47403e0840d423765cf35cf9dea76d289a5

How would the end user reach these domains from a malicious attacker’s perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *