TTH Labs: Not all Rogue anti-Virus software is created equalby Steve Ragan - Sep 24 2009, 21:00
The following report from The Tech Herald Labs encompasses research performed on September 23, 2009. What we discovered is that some Rogue anti-Virus scams are easy to spot. At the same time, other suspect anti-Virus programs, while not completely malicious, are scams all the same. We’ve broken down some of the basics, with a goal of offering some insight into the topic.
Rogue anti-Virus (Rogue AV), or Rogueware as it is sometimes called, is all the rage for criminals these days. It is used to spread Malware, and if the fake software is registered, then the user (victim) is subjected to monetary theft, or in a worst-case example, ID Theft.
This is because the criminals will keep the money paid to register the fake software, as well as harvest all information collected during the registration process and later sell it. Adding insult to injury is the fact that in most cases the criminals are paid per installation of the Rogue anti-Virus via various affiliate programs.
However, other software packages marketing themselves as anti-Virus, while not completely harmful, offer very little protection, and will only work once you register them. The scam here is to offer a false sense of security while taking your money. Also, there is no guarantee that the information provided during registration is stored securely. Not to mention, there is no guarantee that said information isn’t going to be sold to other third parties.
The method used to install the Rogue AV is different for each case. Sometimes, the browser will disappear, only to be replaced with a pop-up warning that your system is infected. Other times, a webpage will display vivid warnings, and what looks like an active Virus scan, mirroring the default theme used on Windows XP. Moreover, in some cases, there is no warning; the Rogue AV will simply appear on your computer.
Below are some examples of what Rogue anti-Virus looks like.
Once your system is infected, you’ll notice almost immediately. There will be random warnings that pop-up from the taskbar, your desktop might be altered, and your browser settings as well. You may even find yourself without access to the Task Manager, or without the ability to install legitimate security related software.
Removing Rogue AV isn’t easy. However, several tools can help clean your system. The most obvious of these tools are actual, honest to goodness, anti-Malware security suites. McAfee, Symantec, Kaspersky, Panda, BitDefender, Avast, F-Secure, Sophos, and Trend Micro, are just some of the larger and known security vendors. However, there will be times that those vendors will not catch or remove Rogue AV. When that happens, things can get tricky.
The first thing you will need to know is that some of the Rogue AV applications block access to legit security related sites and tools. So it is handy to have the EXE files already downloaded to a USB drive, or to have them installed on your system alongside the other security suites.
Some recommendations for added security software include Malwarebytes Anti-Malware, SUPERAntiSpyware, HijackThis, or Spybot Search & Destroy. Each of those three applications rarely has issues running at the same time as the popular security suites, and can remove Rogue AV installations completely more often than not.
SUPERAntiSpyware also has an online scanner, as do some of the other vendors like Kaspersky, Trend Micro, and BitDefender. So if you can access an online scanner, it might help with cleanup. Now, no matter what option you pick or software, cleaning up after a Rogue AV infection is time consuming.
[Note: If you find that you cannot launch the installation on a security application, try to rename it to something obscure, sometimes this helps. Moreover, when attempting to remove Rogue AV, always remove it in safe mode.]
Rogue AV is popular with criminals, as mentioned, because of the money that can be made. Some criminals are tied to affiliate programs that will pay them for each Rogue AV installation. Moreover, they can be paid for other Malware installed on the system, which the Rogue AV makes possible. The double dip in the payment pool isn’t the only way to make money slinging malicious anti-Virus software. There is also the money made when the Rogue AV is registered, and the money that could be made by selling the personal information submitted in the registration process.
The criminals running Rogue AV related sites go out of their way to make the site appear helpful, while tossing a bit of fear into the mix. They include logos and other symbols of status, such as fake BBB (Better Business Bureau) images, awards from various publications such as PC Magazine, and countless customer testimonials.
The fear you get extends from the helpful warning that your computer is infected. Scripts on the site will use geo-location to report your IP address and city, and run “scans” on the system that show an ever growing number of risks and infections. They are counting on this mix of helpful information and fear to entice one or two people out of every ten to download and install the application.
Depending on what else the Rogue AV installs on the system, if just one-percent of the people who see the page fall for the scam, it could amount to tens of thousands of dollars a month.
Up to this point we have covered the basics of the straight malicious Rogue AV software. However, as we discovered while doing research in The Tech Herald’s lab, there is more to these scams than simple Malware distribution and extortion. Some fake anti-Virus software is annoying and a complete rip-off if purchased, but not all that malicious. For these applications, we’ll use the generic name Scamware.
We found one example of a Scamware site while researching its malicious cousin Rogue anti-Virus. It started with a visit to antivirus-live.com, which stood out to us as fake the second we saw it. Like a cat, curiosity got the best of us, so we poked around on the site for a bit.
One of the things we noticed is that the site has gone out of its way to appear legit. There are pages that offer comparisons to AVG and Avast, each with a link to purchase if the person viewing the page desires. There are the standard testimonials and award logos as well.
In addition to the comparison to AVG and Avast, plus all of the other hype, we noticed that the site has a valid McAfee Secure image in the upper right side of the page. According to McAfee, “McAfee Secure web sites are certified as providing the highest level of protection for their shoppers.”
Testing the McAfee Secure notice, we discovered that it wasn’t for the site we were currently on (antivirus-live.com), it was for a completely different site. The site that McAfee Secure covers is anti-virus-professional.com, which is an exact mirror of the other site, down to the AVG and Avast comparison.
If ever we needed proof that something was fishy, this was it. However, we wanted more, so we downloaded the install file for Anti-Virus Professional 2009. Once downloaded, we scanned it with Norton Internet Security 2010, which is currently in the lab for testing.
Norton said the install file was clean, so we uploaded it to VirusTotal and ran a ThreatExpert test. In both cases, the file was tagged as malicious. It is a good indicator that Anti-Virus Pro 2009 might be unwanted program when 14 vendors on VirusTotal had a signature to detect and remove the installation file. On ThreatExpert, Sophos has listed the unpacked EXE file as a Trojan.
So far, things do not look good for this site or the software being offered. Still, despite the warnings from VirusTotal and ThreatExpert, we installed it anyway. Once installed, we needed to update the software, and start a scan.
As you can see in the images above, it detected 67 threats. Yet, before those threats (mostly cookies) can be removed, you will need to register the software. In this case, because the Scamware is celebrating its seventh anniversary, the cost is only $27. After we uninstalled Anti-Virus Pro 2009, we ran Malwarebytes Anti-Malware to see what was left behind. It discovered a few files and folders and removed them.
So who is the company or person behind anti-virus-professional.com and antivirus-live.com?
Starting with anti-virus-professional.com [research details], we discovered that the A-Record IP address (22.214.171.124/19) belongs to a server on Rackspace’s network. The DNS is pointing to NS11 and NS12.domaincontrol.com, and the personal information for the domain is registered to domainsbyproxy.com. For those who are not familiar, this is a GoDaddy thing. What it does is prevent public searches for ownership information on a domain. In addition, the domaincontrol.com DNS is also a GoDaddy feature.
Checking into the IP address block, we discovered adware-professional.com, which looks the same as anti-virus-professional.com, but pitches Adware Professional 2009. Moreover, we discovered malwareprofessional.com, anti-malware-2010.com, and several work from home scams within this IP block.
The A-Record IP address on antivirus-live.com (126.96.36.199/17) again points to Rackspace [research details]. Likewise, the registration information is hidden thanks to domainsbyproxy.com, and the site is using GoDaddy’s domaincontrol.com (NS09 and NS10).
Digging deeper into the IP address block, we found a few car dealers, and nothing else. Most of the sites were “under construction” or showing the default sever test page.
While we observed and collected a good deal of extra information, at this point we were nowhere near locating the owners of the two domains, though from the look and feel of some of the other sites, it is clear that whoever owns anti-virus-professional.com and antivirus-live.com have quite a few other domains under their belt.
Looking back, we noticed that the installation file for the Scamware was signed by Marketflip Technologies LLC. Since both the Scamware sites used the TM designation next to the phrase, “1-Click Fix Technology”, we searched the United States Patent and Trademark Office. While we didn’t find a Trademark for “1-Click Fix Technology”, we did discover seven other Trademarks held by Marketflip Technologies LLC. Marketflip has a listed address of 1500 Harbor Boulevard Weehawken, NJ, 07086, but virtually no presence online.
We did discover discussions online over the company’s trustworthiness. We also found some complaints on their software including Registry Fix, which is one of their listed trademarks, and NoAdware, another listed trademark. At this point we asked Sean-Paul, a researcher at Panda Labs, about Marketflip and the Scamware program. After looking at it, he explained that it wasn’t malicious, but it is charging you to remove cookies.
In short, the software is a scam, and a great waste of money, considering that when tested, it discovered exactly the same things various free offerings will do. Another thing that comes off as odd is what’s noticed when you attempt to register Anti-Virus Pro 2009.
The registration process is handled by clickbank.net, and the transactions are secured by SSL certificates registered through VeriSign, to Click Sales. A quick searched turned up dozens of complaints on the service, each related to non-delivery of goods or over charges. There were some cases where not only were goods not delivered, but charges kept reoccurring.
Click Bank, however, could really only be partially blamed for the fraud. They are a processing agent and affiliate marketing network, so the sites that use them are the ones ripping people off. However, it looks as if Click Bank only monitors registered affiliates and sellers when they feel like it. Since little is done to kick the scams off their network, some of the blame related to fraud should be shouldered by them.
The sites that use Click Bank all have a common tie. Each of them are all related to Scamware, get-rich-quick schemes, or selling some sort of turnkey business. Oddly enough, while working on this article, an email came in to our security address offering the ability to “possibly make $3500+ per month” taking surveys. The link to access “the most important website you will ever stumble upon” is a clickbank.net affiliate link.
So fake security software can be malicious or it can be an outright scam. In some cases, it’s both. The best protection is a layered defense of full featured security software from any one of the major vendors, such as McAfee, Symantec, Kaspersky, Panda, BitDefender, Avast, F-Secure, Sophos, and Trend Micro. On top of that, a second layer of protection can come from Malwarebytes Anti-Malware, SUPERAntiSpyware, HijackThis, or Spybot Search & Destroy.
Lastly, the third layer of protection is to ensure that all of the programs on your computer are updated to the latest versions. This includes the operating system software, and especially the security software, because criminals will use vulnerabilities in out of date software to deliver any number of malicious payloads, often without you even noticing until it’s too late.