English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Odd FakeAv Marketing

Kurt Baumgartner
Kaspersky Lab Expert
Posted April 06, 16:20  GMT
Tags: Rogue Security Solutions, Campaigns
0.5
 

The .co.cc domains, littered with malicious sub domains hosting exploit pages and malicious java applets for the past several months, are now hosting FakeAv pages and "BestAntivirus2011.exe”.

While the FakeAv rotation through .co.cc is not a shocker to security researchers at this point, one interesting domain popped out from the tens of thousands of .co.cc sub domain fakeav hits over the past day..."antispyware-macbook(dot)co(dot)cc". This marketing quirk is odd, even for these guys. Does this domain suggest that another Apple based malware is in the works? Possibly. For now, I doubt it, because the Windows platform continues to be the dominant player, and this malware distributor seems to be very persistent at targeting the Windows platform. But it is very odd that this group is marketing “Fast Windows Antivirus 2011” from “macbook” domains.

Whatever group is using these domains, they have been very successful at conning large advertising networks into hosting their banner ads that redirect to these .co.cc sites. What they develop next is anyone’s guess. Here is a non-exhaustive list of the terms used in sub domains currently peddling the "Bestantivirus2011.exe" from these free and incredibly cheap .co.cc hosting domains over the past day or so. When users visit pages at these sites, they are presented with the usual "Your computer is infected!" scareware and "Windows Security has found on your system and will perform fast scan of system files" scam:
antispyware-companies
antispyware-shqip
antispyware-sw
antispyware-review
antispyware-trends
antispyware-sdk
antispyware-sweep
antispyware-programmer
antispyware-information
antispyware-sdat
antispyware-palsu
antispyware-ansav
antispyware-rogue
antispyware-advanced
antispyware-antivir
antispyware-trend
antispyware-sentry
antispyware-sales
antispyware-troyano
antispyware-seller
antispyware-ranking
antispyware-gpl
antispyware-priority
antispyware-com
antispyware-market
antispyware-telefon
antispyware-keys

The pages are currently detected as “Hoax.HTML.Fakeantivirus.y”, but the variants have been changing frequently over the past few months. It does not seem that these pages are related to "Lizamoon" (although they could be some cross-over), as there are rumors that the affiliate program is already shut down. The FakeAv referenced here is actively distributed at the moment. Researchers may notice the dropped component passed the Harry Potter reference "BOMBARDAMAXIMUM" as a cmd line argument.


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog