Steven Burns, a fellow researcher, posted this on his blog the other day:

“On the hunt as usual, I came across yet another rogue, again using xorg.pl etc via blackhat SEO, but using .tk domains (surprise surprise). What I did find rather humorous however, was a javascript file that was loaded.

The javascript contained a lovely little snippet, and a note for the folks over at Eset (though evidently, the bad guys got their Star Wars and Star Trek mixed up, as it was the Borg that said Resistance is futile – not anyone from Star Wars)“;

/*hello nod32 guys; the force is strong with u, young Padawans, but u won’t defeat us; any resistance is futile;*/

The file in question appears to be:

hxxp://www2.megosave2.tk/107ad6ae3feaa24b00263864f0be76edbcf43009611.js

(Do not copy into your browser!)

The guys at Sunbelt also blogged about this with a view graphics to show you some of the messages to ESET.

So what do you do if you are ESET? Well to be truthful, nothing other than blocking the URL’s in any software that ESET have for computer users. There is not a lot you can do because the minute the URL’s get taken down, new URL’s will appear. Besides, traking down .tk tld’s is not proving easy.

Have you had any rogues installed on your system via whatever means? Get free help here. Our forum topic on this lists all domains with the javascript which you find here.

Stay in touch – Twitter, Facebook.

“This update caused BitDefender to flag Windows system files and BitDefender files as the Trojan.Fakealert.5 infection. Depending on a users action settings for when a virus is found, this has led to numerous Windows system files being added to the BitDefender quarantine. When this happens, these computers are not be able to boot into Windows.”

A mammoth 67 page forum topic at the BitDefender forums shows some of the frustrations of the problem. Not long after, Bit Defender released the following:

“Today (morning PST) we had an update for 64-bit systems (available on our servers between 8 AM and 11 30 AM PST) that caused multiple Windows and BitDefender files to be quarantined. We are creating a patch that will restore all quarantined files. The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.

BitDefender trojan alert update issue: BitDefender has released an alternative solution for users that are able to boot their systems. The details are available here http://www.bitdefender.com/site/KnowledgeBase/consumer/#638 . The solution for users that are not able to boot their system will be available shortly. Thanks for your understanding.

We would like to provide you with a current update regarding the Trojan.FakeAlert.5 issue:

Today BitDefender products running on Windows 64-bit systems experienced problems caused by a faulty update. Multiple BitDefender and Windows files have been incorrectly detected as Trojan.FakeAlert.5 and have been moved to quarantine. Based on the information we have, only .exe, .dll and other binary files have been quarantined (no pictures or documents). Consequently, on some systems BitDefender did not run anymore, applications did not work and/or Windows did not start on those systems.”

You can read that press release in full here – Trojan.FakeAlert.5 Update issue.

If you have been affected by this and require advice on how to resolve it, we offer free support on a range of problems. Visit our support forums and navigate to the correct subforum.

Have an opinion on this story? Share it here.

• Yahoo site flaw uncovered
• Rogue antivirus: a growing problem
• Malware writers feeding on Twilight mania
• Police make “trojan” virus arrests
• MS discovers flaw in Google plug-in for IE
• Dumb code could stop computer viruses in their tracksDumb code could stop computer viruses in their tracks

There are more articles located within the NewsBot Centre. Plus there is also an chance to have your blog feed included. Details about it can be found here.

• Softpedia’s exclusive interview with Malwarebytes: Malwarebytes Accuses, IObit Plays Dead
• Rogue Anti-Spyware Targets Sesame Street’s Big Bird
• New Koobface Component Imitates Facebook User
• Firefox flaws make up 44% of all browser bugs?
• Windows 7 Team: How we really designed the look and feel of Windows 7
• Pushdo/Cutwail Spambot – A Little Known BIG Problem
• New Declaration by IObit about MBAM’s database;Iobit apologizes
• Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse — Hayes v. SpectorSoft

There are more articles located within the NewsBot Centre. Plus there is also an chance to have your blog feed included. Details about it can be found here.

All articles in the NewsBot Centre are imported from blog and site feeds from the world of security and technology. This weeks articles are:

• Fugitive gives the game away with Facebook updates
• Twitter launches tool for nailing spammers (Follow @Securitycadets)
• MJ’s New Song Leaked Triggers Spam Attacks
• Trojan Turns Smash & Grab Into Grab & Smash
• With botnets everywhere, DDoS attacks get cheaper – $30 only
• Bad anti-malware affiliates caught by MVP S!ri Urz

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

• Dell to acquire Perot for $3.9bn
• Google Confirms That Keyword Metatags Don’t Matter
• Razer downloads distributing malware
• Fake anti-virus attack on Twitter
• Microsoft: Google Chrome Frame makes IE less secure

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

• ISPs asked to cut off malware-infected PCs
• ‘Ice explorer’ ready for launch
• Microsoft’s Bing.com goes visual
• ClamWin Free AV released a build with Ask Toolbar
• Zbot evades most anti-virus programs
• Fake AV – why I want your FTP credentials

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

• T-Mobile and Orange in UK merger
• Flight site hacker ‘identified’
• Future Firefox to Nag Users on Insecure Plug-ins
• Jobs returns to Apple limelight
• Windows 7 Security Bug Emerges at Worst Time for Microsoft
• FakeAV for 9/11
• Sears forced to destroy spyware-gathered information

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

• eBay ‘reaches deal to sell Skype’
• The Conficker worm makes a comeback
• Reboot for UK’s ‘oldest’ computer
• Rogue AV Goes Green
• Fake Flash For Firefox
• WordPress blogs falling prey to worm

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

Also, on a side point away from our weekly round-up, our application (formally codename ProjectX) SCars, is in full swing and several components are finished. There is no predicted release date, but we will hopefully provide a run down of what we’re actually programming soon. We are after a few graphic designers to help us with graphics on the application. Please contact me, AndyAtHull, via my forum account for details. Let us crack on.

All articles in the NewsBot Centre are imported from blog and site feeds from the world of security and technology. This weeks top articles are:

• Nokia announces netbook offering
• Malware Writers: Will That Be OS X, or W?
• Internet cut-off threat for illegal downloaders
• Hackers prefer to use Firefox and Opera
• Black man becomes white in Microsoft advert gaffe
• Google: Malware Statistics Update
• Apple confirms malware protection in Snow Leopard
• New ‘rogueware’ variants spotted: SaveKeep, SaveSoldier and TrustNinja
• FBI fears free laptops could be malware scam
• Back with a vengence: Fresh MS06-028 malicious PowerPoint documents

There are more articles located within the NewsBot Centre. There is an oppertunity to put your blog feed forward and have a chance to be added to our NewsBot service. Details about it can be found here.

• Digital Spy fights second malware attack
• UAE Blackberry update was spyware
• How to Check if Installer is bundled with Ask toolbar or Ask/IAC?
• Twitter, Facebook urged to improve security
• Comodo continues to ignore Malware warnings
• Fake Avira website using Comodo certificate
• Rogue anti-spyware on Twitter
• Malware SPAM: UPSNR_881762102.zip and ecard.zip

There are more articles located within the NewsBot Centre. You can also add your feed to our NewsBot should you wish, details about it can be found here.

• Bing is live!
• Microsoft unveils new controller
• Malware SPAM: 123greetings.com card – bizzi11.zip
• Malware SPAM: Outlook Setup Notification – micr__outlook_update_6556.zip inside Outlook Setup Notification.zip
• Twitter hit with rogue anti-virus scam (Follow @Securitycadets)
• Windows 7 release date announced
• FTC Sues, Shuts Down N. Calif. Web Hosting Firm
• Google Chrome Out for Mac and Linux – Just Don’t Download It

There are more articles located within the NewsBot Centre. You can also add your feed to our NewsBot should you wish, details about it can be found here.

• Ask brings back butler Jeeves
• Stopbadware delists CyberDefender as badware (Read our take on this)
• BBC iPlayer goes high definition
• PCWith.org software bundles their program with Rogue software PC MightyMax 2009
• Zango in transition to Blinkx
• Net security, Windows 7 and Conficker under scrutiny
• Microsoft, HSBC, Sony, Coca-Cola(…) New Zealand hacked
• Yahoo pulls the plug on GeoCities
• ShuURL: A Safe URL Redirection using Web of Trust
• Malware SPAM: WorldPay CARD transaction Confirmation – WorldPay_NR9712.zip
• Windows 7 Release Candidate

There are more articles located within the NewsBot Centre. You can also add your feed to our NewsBot should you wish, details about it can be found here.

… Well, they all imitate legit removal tools for malware. And probably created to gain financial advantages from the traffic the original tools get.

This time they have released another version called ComboFixTool which imitates the legit tool ComboFix.

Make no bone about it. SmitFraudFixTool, VundoFixTool and now ComboFixTool are the fake applications here. Not SmitFraudFix, VundoFix or ComboFix.

What is funny at the time of me writing this is that the offending domain has not been updated. Nor has it’s download. Example below:

(Click to Enlarge)

Another twist on this story are the comments we’ve been getting from the last product this gang released. A victim has claimed to even get a refund on the amount of money they had spent before realising it’s practices from our articles. They’re also receiving help in our support forums.

A discussion has started about ComboFixTool over at BleepingComputer.com. And it’s safe to say that exploiting ComboFix is a dangerous prospect. You should never use the legit tool without supervision due to the nature of it. So when this fake application comes along, the impression it has could well affect this area of ComboFix and possibly push users into confusion.

We have procedures to help you with this kind of problem. Our forums have experts in place to assist you and will provide step-by-step help freely in removing it:

• Malware Removal Assistance with an Expert

Update (29/03/2009 – 17:41 PM – BST) – Offending URL’s are combofixtool.org and combofixtool.com. Both sites still not updated with graphics and download.

Update (31/03/2009 – 20:40 PM – BST ) – Both offending URL’s are now down – Result

Selective Linkbacks;

• Dell Forums – ComboFixTool – What’s that all about?
• Forum Linkback- ComboFixTool – What’s that all about?

All articles in the NewsBot Centre are imported from blog and site feed from the world of security and technology:

• WinPatrol 2009 (V16.0.2009) is here! (or Introducing WinPatrol 2009)
• Massive Profits Fueling Rogue Antivirus Market
• Twitter growth explodes in a year (Follow us on Twitter @Securitycadets)
• Passwords of Comcast Customers Exposed
• StopBadware and Consumer Reports launch BadwareBusters.org
• Symantec decides to disable Ask.com Search (Aka Safe Search) by default
• Quite a long thoughts by Symantec customer regarding Ask.com in Norton installers
• Google’s pictures of UK go live
• Microsoft launches latest browser
• Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5k
• FTC urged to investigate security of Google services
• Antivirus2009 Holds Victim’s Documents for Ransom
• IE8 issues if immunization by Spybot-S&D is enabled
• Rogue Antivirus Distribution Network Dismantled
• Ad-Aware SE Updates Discontinued

We hope you have a great remaining Sunday wherever you are. There are more articles from the last eight days or so. Just visit the NewsBot Centre for more.

You can add your feed to our NewsBot should you wish, details about it can be found here.