Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Learning how to remove Anti-virus-1 teaches us some new tricks


  • Please log in to reply
4 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,519 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:56 AM

Posted 18 February 2009 - 07:28 PM

Note: Removal guide can be found here.

There is big money to be made for the developers and purveyors of rogue security products. Due to this we see some inventive social engineering attacks on the part of these types of software in order to trick you into purchasing their software. While analyzing a new rogue anti-spyware program called Anti-virus-1, we saw a new method that these programs are using to trick infected users into purchasing their program.

When we installed Anti-virus-1 in order to write our removal guide, we noticed that it added a series of entries into the Windows hosts file. These entries are:

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com

By adding these entries into your HOSTS file, it will make it so that if you go to any of the web sites listed above, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realize you are doing so. It is not uncommon for malware to add entries to your HOSTS file, but what is new is the content being shown to you when you visit these sites.

We have to remember that the purpose of any rogue software is to trick you into thinking it is legitimate and then to have you purchase it. One of the best ways to convince someone that something is not only legitimate, but a quality product, is for a well known and respected site to give it a good review. This is exactly what Anti-virus-1 is doing. They are modifying the HOSTS file, and then showing these fake review pages from CNET, PC Magazine, Tech Radar, Reevo, ZDNet, etc in order to trick the infected user into thinking these sites are writing reviews about how excellent the Anti-virus-1 program is. An example is the fake review supposedly written by Neil Rubenking for the PC Magazine site as shown below. In reality, though, these reviews were written by the developers of Anti-virus-1 instead and they are hosted on their servers.



Review of Anti-virus-1 on fake PCMag.com Site
Click on the image to see the full size

The amount of social engineering techniques that Anti-virus-1 uses is the most I have seen so far in a rogue. In this rogue alone, they use fake security alerts, screen savers showing a blue screen crash caused by a spyware and then a fake reboot, Internet Explorer hijacks, and now fake review sites. It really comes as no surprise why so many people are tricked into purchasing these types of software. Hopefully articles like this will inform people on what tricks these programs use so they do not fall prey to this scam as well. We have put together some screen shots of some of the other fake reviews. To see them simply click on the links below.

If you have become infected with Anti-virus-1 please do not fall for their tricks. Instead, use the removal guide that I linked to below in order to remove and uninstall it for free.





BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 34,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:56 AM

Posted 19 February 2009 - 04:48 PM

You have to say that that is extremely clever. I'm surprised this kind of fake website skin hasn't been used before really.

The internet is not the most copyright-controlled medium.

What happens when you click a link on the fake page though? Does that give it away?

Bleeping Computer is being sued by EnigmaSoft. Click here to fight back

If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,519 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:56 AM

Posted 20 February 2009 - 10:33 AM

It just goes to the legitimate site.

#4 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:56 AM

Posted 20 February 2009 - 05:09 PM

Doesn't the program description give it away? It says that it is Symantec's flagship program.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 34,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:56 AM

Posted 20 February 2009 - 05:15 PM

Lloyd,

You are assuming that people that are reading reviews know about the product but mainly the reason they are reading the review is because they don't.

Bleeping Computer is being sued by EnigmaSoft. Click here to fight back

If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users