Sagade
As far as I can tell, the Latvian hosting company was Sagade. Good riddance!
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m). Operation Trident Tribunal seized more than 40 computers and servers and arrested two people in Latvia. 22 computers were seized in the US along with 25 machines in France, Germany, Latvia, Lithunia, …
Having just spent a day removing such a virus from a laptop, I feel that I should be allowed half an hour with the none volatile rubber reprogramming tool and the ring leaders in a sound proofed cell.
Hat's of to them in some respects, it must have took a lot of work to get the the scareware looking and working as it does.
Your comment gives the impression that the paid version of MalwareBytes Anti-Malware scans faster than the free version which isnt true, the free version and the paid version use the same scan engine, the paid version just adds a protection module that offers realtime protection.
MalwareBytes scan engine is unmatched on detection and removal, the realtime protection module however lacks too much to be considered as a viable protection suite.
All of which would have been collected via credit cards ... and therefore leaving a trail. Of course, if they'd been running a gambling site or streaming football programs then they would have been caught much earlier.
But assuming they have 50% overhead then that still leaves $36m - how do you stash that sort of loot away? Where's the money? It's harder than you'd think to stash that sort of amount away and not leave traces - so either the total amount is wrong - or there's more going on than we're told?
At $72m then the credit card fees to Visa and Master-card alone would have been well over $2m.
Anyone know what scareware these guys produced? A friend's PC got infected with "Windows Recovery" - which worked exactly the way described in the article. It was a nightmare to remove and I was quite impressed with how real it actually looked. It even went to the trouble of hiding all files on your computer to make it look as if you really had lost everything...
Fake versions from this ring include (via FBI press release):
Virus Shield
Antivirus or VirusRemover.
We've had 3 instances of these scareware attacks in the last 2 weeks alone (none of the above) on both XP and Win7 machines - fake GUI, hides all your folders, redirects web traffic through a proxy and stops executables (such as TDSS Killers) from running - and neither McAfee or MalwareBytes seemed to fix the issue ('FakeAlert!grb' trojan and TDSS rootkit) - eventually determined it was quicker to reformat the affected machines.
Presumably, with the FBI et al, following the money trails/traces, more of these rings should be sought over the short-term?
3 instances of this a week, on a bad week, 5+
This week we've have over 80 instances for us here and almopst 400 over the four comanies that all work together here. We did point this out to the Reg but its been ignored. As of this afternoon they are still comming thick and fast.
We caught one of these in progress, grabbed the .exe uploaded it to Jotti.org and on Monday only Sophos could see it. Tuesday evening out of 15, only Sophos, Avira, Bitdefender and F-Secure could see it. Not tried yesterday or today.
Bullguard didnt return our call (as a reseller we get gold support) then gave us a load of rubbish about how their software can stop it because its exceeelnt. Erm I called you to say it HAS infected your machines.
Alwill (Avast) called us back and asked for samples, screenshots etc.
Updating JVM and Flash wont help either, so god only knows how its coming in.
So well done boys but please keep on it.
Seriously, the internet is broken as far as I see it. When you can all but ruin your PC just by surfing the web then something is very badly wrong. We've had these on work machines several times now, often they are infected from just looking for legitimate looking stuff on google images. If you're lucky they are easy to remove with malwarebytes, but the one I had on my machine was really nasty, installing rootkit stuff that was only fixable with Combofix and it's still not 100% now. These people need to be shot. I am not joking.
Previous poster noted he RAN combo-fix and it still doesn't work properly. This shit can be nasty - reinstall paths through obfuscated registry entries, rootkits, etc. I'm nearly to the point of just runing the wipedisk program, then the rootkit remover, and finally installing a fresh copy of the OS.