TTH Labs: Not all Rogue anti-Virus software is created equal

The following report from The Tech Herald Labs encompasses research performed on September 23, 2009. What we discovered is that some Rogue anti-Virus scams are easy to spot. At the same time, other suspect anti-Virus programs, while not completely malicious, are scams all the same. We’ve broken down some of the basics, with a goal of offering some insight into the topic.

Rogue anti-Virus (Rogue AV), or Rogueware as it is sometimes called, is all the rage for criminals these days. It is used to spread Malware, and if the fake software is registered, then the user (victim) is subjected to monetary theft, or in a worst-case example, ID Theft.

This is because the criminals will keep the money paid to register the fake software, as well as harvest all information collected during the registration process and later sell it. Adding insult to injury is the fact that in most cases the criminals are paid per installation of the Rogue anti-Virus via various affiliate programs.

However, other software packages marketing themselves as anti-Virus, while not completely harmful, offer very little protection, and will only work once you register them. The scam here is to offer a false sense of security while taking your money. Also, there is no guarantee that the information provided during registration is stored securely. Not to mention, there is no guarantee that said information isn’t going to be sold to other third parties.

The method used to install the Rogue AV is different for each case. Sometimes, the browser will disappear, only to be replaced with a pop-up warning that your system is infected. Other times, a webpage will display vivid warnings, and what looks like an active Virus scan, mirroring the default theme used on Windows XP. Moreover, in some cases, there is no warning; the Rogue AV will simply appear on your computer.

Below are some examples of what Rogue anti-Virus looks like.








Once your system is infected, you’ll notice almost immediately. There will be random warnings that pop-up from the taskbar, your desktop might be altered, and your browser settings as well. You may even find yourself without access to the Task Manager, or without the ability to install legitimate security related software.

Removing Rogue AV isn’t easy. However, several tools can help clean your system. The most obvious of these tools are actual, honest to goodness, anti-Malware security suites. McAfee, Symantec, Kaspersky, Panda, BitDefender, Avast, F-Secure, Sophos, and Trend Micro, are just some of the larger and known security vendors. However, there will be times that those vendors will not catch or remove Rogue AV. When that happens, things can get tricky.

The first thing you will need to know is that some of the Rogue AV applications block access to legit security related sites and tools. So it is handy to have the EXE files already downloaded to a USB drive, or to have them installed on your system alongside the other security suites.
 
Some recommendations for added security software include Malwarebytes Anti-Malware, SUPERAntiSpyware, HijackThis, or Spybot Search & Destroy. Each of those three applications rarely has issues running at the same time as the popular security suites, and can remove Rogue AV installations completely more often than not.

SUPERAntiSpyware also has an online scanner, as do some of the other vendors like Kaspersky, Trend Micro, and BitDefender. So if you can access an online scanner, it might help with cleanup. Now, no matter what option you pick or software, cleaning up after a Rogue AV infection is time consuming.

[Note: If you find that you cannot launch the installation on a security application, try to rename it to something obscure, sometimes this helps. Moreover, when attempting to remove Rogue AV, always remove it in safe mode.]

Rogue AV is popular with criminals, as mentioned, because of the money that can be made. Some criminals are tied to affiliate programs that will pay them for each Rogue AV installation. Moreover, they can be paid for other Malware installed on the system, which the Rogue AV makes possible. The double dip in the payment pool isn’t the only way to make money slinging malicious anti-Virus software. There is also the money made when the Rogue AV is registered, and the money that could be made by selling the personal information submitted in the registration process.

The criminals running Rogue AV related sites go out of their way to make the site appear helpful, while tossing a bit of fear into the mix. They include logos and other symbols of status, such as fake BBB (Better Business Bureau) images, awards from various publications such as PC Magazine, and countless customer testimonials.

The fear you get extends from the helpful warning that your computer is infected. Scripts on the site will use geo-location to report your IP address and city, and run “scans” on the system that show an ever growing number of risks and infections. They are counting on this mix of helpful information and fear to entice one or two people out of every ten to download and install the application.

Depending on what else the Rogue AV installs on the system, if just one-percent of the people who see the page fall for the scam, it could amount to tens of thousands of dollars a month.

Up to this point we have covered the basics of the straight malicious Rogue AV software. However, as we discovered while doing research in The Tech Herald’s lab, there is more to these scams than simple Malware distribution and extortion. Some fake anti-Virus software is annoying and a complete rip-off if purchased, but not all that malicious. For these applications, we’ll use the generic name Scamware.

We found one example of a Scamware site while researching its malicious cousin Rogue anti-Virus. It started with a visit to antivirus-live.com, which stood out to us as fake the second we saw it. Like a cat, curiosity got the best of us, so we poked around on the site for a bit.

One of the things we noticed is that the site has gone out of its way to appear legit. There are pages that offer comparisons to AVG and Avast, each with a link to purchase if the person viewing the page desires. There are the standard testimonials and award logos as well.



In addition to the comparison to AVG and Avast, plus all of the other hype, we noticed that the site has a valid McAfee Secure image in the upper right side of the page. According to McAfee, “McAfee Secure web sites are certified as providing the highest level of protection for their shoppers.”

 


Testing the McAfee Secure notice, we discovered that it wasn’t for the site we were currently on (antivirus-live.com), it was for a completely different site. The site that McAfee Secure covers is anti-virus-professional.com, which is an exact mirror of the other site, down to the AVG and Avast comparison.



If ever we needed proof that something was fishy, this was it. However, we wanted more, so we downloaded the install file for Anti-Virus Professional 2009. Once downloaded, we scanned it with Norton Internet Security 2010, which is currently in the lab for testing.



Norton said the install file was clean, so we uploaded it to VirusTotal and ran a ThreatExpert test. In both cases, the file was tagged as malicious. It is a good indicator that Anti-Virus Pro 2009 might be unwanted program when 14 vendors on VirusTotal had a signature to detect and remove the installation file. On ThreatExpert, Sophos has listed the unpacked EXE file as a Trojan.

So far, things do not look good for this site or the software being offered. Still, despite the warnings from VirusTotal and ThreatExpert, we installed it anyway. Once installed, we needed to update the software, and start a scan.



As you can see in the images above, it detected 67 threats. Yet, before those threats (mostly cookies) can be removed, you will need to register the software. In this case, because the Scamware is celebrating its seventh anniversary, the cost is only $27. After we uninstalled Anti-Virus Pro 2009, we ran Malwarebytes Anti-Malware to see what was left behind. It discovered a few files and folders and removed them.


So who is the company or person behind anti-virus-professional.com and antivirus-live.com?

Starting with anti-virus-professional.com [research details], we discovered that the A-Record IP address (74.205.0.0/19) belongs to a server on Rackspace’s network. The DNS is pointing to NS11 and NS12.domaincontrol.com, and the personal information for the domain is registered to domainsbyproxy.com. For those who are not familiar, this is a GoDaddy thing. What it does is prevent public searches for ownership information on a domain. In addition, the domaincontrol.com DNS is also a GoDaddy feature.

Checking into the IP address block, we discovered adware-professional.com, which looks the same as anti-virus-professional.com, but pitches Adware Professional 2009. Moreover, we discovered malwareprofessional.com, anti-malware-2010.com, and several work from home scams within this IP block.

The A-Record IP address on antivirus-live.com (204.232.128.0/17) again points to Rackspace [research details]. Likewise, the registration information is hidden thanks to domainsbyproxy.com, and the site is using GoDaddy’s domaincontrol.com (NS09 and NS10).

Digging deeper into the IP address block, we found a few car dealers, and nothing else. Most of the sites were “under construction” or showing the default sever test page.

While we observed and collected a good deal of extra information, at this point we were nowhere near locating the owners of the two domains, though from the look and feel of some of the other sites, it is clear that whoever owns anti-virus-professional.com and antivirus-live.com have quite a few other domains under their belt.

Looking back, we noticed that the installation file for the Scamware was signed by Marketflip Technologies LLC. Since both the Scamware sites used the TM designation next to the phrase, “1-Click Fix Technology”, we searched the United States Patent and Trademark Office. While we didn’t find a Trademark for “1-Click Fix Technology”, we did discover seven other Trademarks held by Marketflip Technologies LLC. Marketflip has a listed address of 1500 Harbor Boulevard Weehawken, NJ, 07086, but virtually no presence online.

We did discover discussions online over the company’s trustworthiness. We also found some complaints on their software including Registry Fix, which is one of their listed trademarks, and NoAdware, another listed trademark. At this point we asked Sean-Paul, a researcher at Panda Labs, about Marketflip and the Scamware program. After looking at it, he explained that it wasn’t malicious, but it is charging you to remove cookies.

In short, the software is a scam, and a great waste of money, considering that when tested, it discovered exactly the same things various free offerings will do. Another thing that comes off as odd is what’s noticed when you attempt to register Anti-Virus Pro 2009.

The registration process is handled by clickbank.net, and the transactions are secured by SSL certificates registered through VeriSign, to Click Sales. A quick searched turned up dozens of complaints on the service, each related to non-delivery of goods or over charges. There were some cases where not only were goods not delivered, but charges kept reoccurring.

Click Bank, however, could really only be partially blamed for the fraud. They are a processing agent and affiliate marketing network, so the sites that use them are the ones ripping people off. However, it looks as if Click Bank only monitors registered affiliates and sellers when they feel like it. Since little is done to kick the scams off their network, some of the blame related to fraud should be shouldered by them.

The sites that use Click Bank all have a common tie. Each of them are all related to Scamware, get-rich-quick schemes, or selling some sort of turnkey business. Oddly enough, while working on this article, an email came in to our security address offering the ability to “possibly make $3500+ per month” taking surveys. The link to access “the most important website you will ever stumble upon” is a clickbank.net affiliate link.

So fake security software can be malicious or it can be an outright scam. In some cases, it’s both. The best protection is a layered defense of full featured security software from any one of the major vendors, such as McAfee, Symantec, Kaspersky, Panda, BitDefender, Avast, F-Secure, Sophos, and Trend Micro. On top of that, a second layer of protection can come from Malwarebytes Anti-Malware, SUPERAntiSpyware, HijackThis, or Spybot Search & Destroy.

Lastly, the third layer of protection is to ensure that all of the programs on your computer are updated to the latest versions. This includes the operating system software, and especially the security software, because criminals will use vulnerabilities in out of date software to deliver any number of malicious payloads, often without you even noticing until it’s too late.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.