There is big money to be made for the developers and purveyors of rogue security products. Due to this we see some inventive social engineering attacks on the part of these types of software in order to trick you into purchasing their software. While analyzing a new rogue anti-spyware program called Anti-virus-1, we saw a new method that these programs are using to trick infected users into purchasing their program.
When we installed Anti-virus-1 in order to write our removal guide, we noticed that it added a series of entries into the Windows hosts file. These entries are:
O1 - Hosts: 220.127.116.11 www.review.2009softwarereviews.comBy adding these entries into your HOSTS file, it will make it so that if you go to any of the web sites listed above, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realize you are doing so. It is not uncommon for malware to add entries to your HOSTS file, but what is new is the content being shown to you when you visit these sites.
O1 - Hosts: 18.104.22.168 review.2009softwarereviews.com
O1 - Hosts: 22.214.171.124 a1.review.zdnet.com
O1 - Hosts: 126.96.36.199 www.d1.reviews.cnet.com
O1 - Hosts: 188.8.131.52 www.reviews.toptenreviews.com
O1 - Hosts: 184.108.40.206 reviews.toptenreviews.com
O1 - Hosts: 220.127.116.11 www.reviews.download.com
O1 - Hosts: 18.104.22.168 reviews.download.com
O1 - Hosts: 22.214.171.124 www.reviews.pcadvisor.c.uk
O1 - Hosts: 126.96.36.199 reviews.pcadvisor.co.uk
O1 - Hosts: 188.8.131.52 www.reviews.pcmag.com
O1 - Hosts: 184.108.40.206 reviews.pcmag.com
O1 - Hosts: 220.127.116.11 www.reviews.pcpro.co.uk
O1 - Hosts: 18.104.22.168 reviews.pcpro.co.uk
O1 - Hosts: 22.214.171.124 www.reviews.reevoo.com
O1 - Hosts: 126.96.36.199 reviews.reevoo.com
O1 - Hosts: 188.8.131.52 www.reviews.riverstreams.co.uk
O1 - Hosts: 184.108.40.206 reviews.riverstreams.co.uk
O1 - Hosts: 220.127.116.11 www.reviews.techradar.com
O1 - Hosts: 18.104.22.168 reviews.techradar.com
We have to remember that the purpose of any rogue software is to trick you into thinking it is legitimate and then to have you purchase it. One of the best ways to convince someone that something is not only legitimate, but a quality product, is for a well known and respected site to give it a good review. This is exactly what Anti-virus-1 is doing. They are modifying the HOSTS file, and then showing these fake review pages from CNET, PC Magazine, Tech Radar, Reevo, ZDNet, etc in order to trick the infected user into thinking these sites are writing reviews about how excellent the Anti-virus-1 program is. An example is the fake review supposedly written by Neil Rubenking for the PC Magazine site as shown below. In reality, though, these reviews were written by the developers of Anti-virus-1 instead and they are hosted on their servers.
The amount of social engineering techniques that Anti-virus-1 uses is the most I have seen so far in a rogue. In this rogue alone, they use fake security alerts, screen savers showing a blue screen crash caused by a spyware and then a fake reboot, Internet Explorer hijacks, and now fake review sites. It really comes as no surprise why so many people are tricked into purchasing these types of software. Hopefully articles like this will inform people on what tricks these programs use so they do not fall prey to this scam as well. We have put together some screen shots of some of the other fake reviews. To see them simply click on the links below.
If you have become infected with Anti-virus-1 please do not fall for their tricks. Instead, use the removal guide that I linked to below in order to remove and uninstall it for free.