Windows 8.1 apps, validated in the store, say you have viruses!

You have heard of Windows 8 and Windows 8.1 “immersive UI” otherwise known as Metro apps.

You’ve probably heard of drive-by downloads and almost certainly heard of fake virus warning pages.

Why not combine the two! It seems that at least one app in the Microsoft App store is doing just this. What a combination, I’m so happy that adverts are such a security risk.

Absolutely astonishing. If there was any good demonstration as to why blocking adverts is a good idea – this is it.

Most of the time it displays a fake “your computer is infected” virus warning. Sometimes it tries to say that you need an update to Adobe Flash Player.
There is no way to fix this other than for the ad network to remove the offending advert, Microsoft to remove the app or the app developer to remove the adverts or change advertising network. If the user wants to continue using the game they basically can’t unless you sit there and try and work out the DNS entries used to fetch the adverts and then null them out using the hosts file.

The domains involved are:

lp.makedownload.link [45.55.245.61] with the URL http://lp.makedownload.link/BrowserDetector/uk.php?fid=NWRiZDhmZTU0ZjQxZGRhNzE0MzY4MDQ5NjM1Nzk5MC4yMTE=&rid=YzhhZGYxMDU3ZjE5MzZkZjE0MzY4MDQ5NjM1Nzk=&eid=MTQyLjI3MTQzNjgwNDk2MzU3OTVmM2E1ZjRjZjAxOGFmYmU=&nid=MTQzNjgwNDk2MzU3OQ==&ca=NDQzMjRhN2E3NWY5Y2YyMA==&cr=NzI4eDkw&cry=R0I=

alarm99-x586-operating-systemlog64-alert00789.critical-error2635.com [212.59.241.160] with URL http://alarm99-x586-operating-systemlog64-alert00789.critical-error2635.com/UK5793/?error=MH34UK
There are also many associated similar domains.

critical-error2705.com
critical-error2621.com
critical-error2675.com
critical-error2684.com
critical-error2619.com
critical-error2615.com
critical-error2711.com
critical-error2653.com
critical-error2726.com

critical-error system message scam mh34uk
Saying “WARNING! Your PC may not be protected! If you see this message more than once, you need to call PC Support at <number> immediately During this free call, you will receive assistance on how o remove malicious malware from your PC.” The message contains the telephone number (0800) 808 5793 (aka 08008085793 or +448008085793).

http://www.xmediaserve.com [78.140.181.188] with url http://www.xmediaserve.com/apu.php?n=&zoneid=11126&cb=12093533&popunder=1&direct=1?t=20000

http://www.error32system.com [208.91.198.76] with url http://www.error32system.com/ie.htm
error32system scam
Saying “Microsoft Real Time Web Monitor has detected Liam.x on the system Due To Unsafe Browsing. Its strongly adviced to contact Windows Online Support to have the virus removed as it can cause a system failure. Please Call Microsoft Windows Support Helpline For Assistance.” The message contains the phone number 0-800-078-6078 (otherwise known as 08000786078 or +448000786078)

I trolled these people quite hard and had to hold back laughing several times.

They used the lmi1.com domain. The logmein client name was “E-Mobilize Limited”.
The company name he gave just before I vaguely started talking about payment was “www.virtificsolutions.com” and gave me the telephone number 08081433711 (aka, +448080143371 or 0808 143 3711) and the “very important” extension number of 1017.
The error32system.com domain gives away registration details:

Registrant Name: sachin khatri
Registrant Organization: thedaaru
Registrant Street: 366/2 shastri nagar meerut
Registrant City: meerut
Registrant State/Province: Uttar Pradesh
Registrant Postal Code: 250004
Registrant Country: IN
Registrant Phone: +91.8130236594
Registrant Email: sachin.khatri7@gmail.com

And the above registrant appears to also be associated with:
bakipackiindia.com [208.91.199.89] – probably just one of their customers though
bkacs.com [208.91.199.89] – also likely to just be a web design customer of theirs
pcrepairsstore.com [208.91.199.89] – A PC repair store in London, UK! Very strange.
esoftservice.com [208.91.199.89] – Another UK business but the site is mainly a holding page.
and virtificsolutions.com [208.91.199.89]! but under a different name and address but the same phone number and email address. The website itself lists a London address 28 Gloucester Street, WC1N 3AX while showing a map of Florida. It also lists another phone number of 0-8000-314-003 (or more sensibly formatted as 08000314003 or +448000314003)

Registrant Name: ONKARESHWAR PANDEY
Registrant Street: new ashok nagar
Registrant Street: delhi
Registrant City: delhi
Registrant State/Province: Delhi
Registrant Postal Code: 110096
Registrant Country: India
Registrant Phone: +91.8130236594
Registrant Email: sachin.khatri7@gmail.com

support-windows-microsoft-uk.com [166.62.28.6] on url http://support-windows-microsoft-uk.com/windows-kernal-error-system32/index.html
support windows microsoft uk scam windows kernal error system32
Message of “Possible Computer Error Detected Due to Suspicious Activity Found On Your Computer. Contact A Certified Live Technician Now:” Listing the phone number +44 (0800) 808 5109 (aka 08008085109 or +448008085109) and the spelling error in the URL of kernal.
The phone call is answered as easytechy, a company I’ve now come across twice while researching these scams!

Associated domains who use(s) the same DNS infrastructure but not seen as directly part of the scam run today are:

pcerror9899.com
pcerror2229.com
pcerror2309.com
pcerror2409.xyz [212.59.241.166]
pcerror2577.xyz
pcerror2095.com

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s