 Learning how to remove Anti-virus-1 teaches us some new tricks |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 Feb 18 2009, 07:28 PM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 32,141 Joined: 24-January 04 From: USA Member No.: 3  |
 Note: Removal guide can be found here.There is big money to be made for the developers and purveyors of rogue security products. Due to this we see some inventive social engineering attacks on the part of these types of software in order to trick you into purchasing their software. While analyzing a new rogue anti-spyware program called Anti-virus-1, we saw a new method that these programs are using to trick infected users into purchasing their program. When we installed Anti-virus-1 in order to write our removal guide, we noticed that it added a series of entries into the Windows hosts file. These entries are: O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.comBy adding these entries into your HOSTS file, it will make it so that if you go to any of the web sites listed above, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realize you are doing so. It is not uncommon for malware to add entries to your HOSTS file, but what is new is the content being shown to you when you visit these sites. We have to remember that the purpose of any rogue software is to trick you into thinking it is legitimate and then to have you purchase it. One of the best ways to convince someone that something is not only legitimate, but a quality product, is for a well known and respected site to give it a good review. This is exactly what Anti-virus-1 is doing. They are modifying the HOSTS file, and then showing these fake review pages from CNET, PC Magazine, Tech Radar, Reevo, ZDNet, etc in order to trick the infected user into thinking these sites are writing reviews about how excellent the Anti-virus-1 program is. An example is the fake review supposedly written by Neil Rubenking for the PC Magazine site as shown below. In reality, though, these reviews were written by the developers of Anti-virus-1 instead and they are hosted on their servers.  Review of Anti-virus-1 on fake PCMag.com Site Click on the image to see the full size The amount of social engineering techniques that Anti-virus-1 uses is the most I have seen so far in a rogue. In this rogue alone, they use fake security alerts, screen savers showing a blue screen crash caused by a spyware and then a fake reboot, Internet Explorer hijacks, and now fake review sites. It really comes as no surprise why so many people are tricked into purchasing these types of software. Hopefully articles like this will inform people on what tricks these programs use so they do not fall prey to this scam as well. We have put together some screen shots of some of the other fake reviews. To see them simply click on the links below. If you have become infected with Anti-virus-1 please do not fall for their tricks. Instead, use the removal guide that I linked to below in order to remove and uninstall it for free.  Guide: How to remove Anti-virus-1 (Removal Guide) Image Link: Fake CNET Review. Image Link: Fake Download.com Review-------------------- |
 |
 
|
|
Feb 19 2009, 04:48 PM
Post
#2
|
|
 I know the drill! Group: HJT Team Posts: 7,967 Joined: 24-July 08 From: London Member No.: 224,929 |
You have to say that that is extremely clever. I'm surprised this kind of fake website skin hasn't been used before really.
The internet is not the most copyright-controlled medium. What happens when you click a link on the fake page though? Does that give it away? --------------------  m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Feb 20 2009, 10:33 AM
Post
#3
|
|
|
Bleep Bleep! Group: Admin Posts: 32,141 Joined: 24-January 04 From: USA Member No.: 3 |
It just goes to the legitimate site.
-------------------- |
|
|
|
|
Feb 20 2009, 05:09 PM
Post
#4
|
|
 Distinguished Member Group: Members Posts: 851 Joined: 6-August 08 From: Canada Member No.: 228,067 |
Doesn't the program description give it away? It says that it is Symantec's flagship program.
-------------------- Avira AntiVir Personal | COMODO Firewall | Malwarebytes' Anti-Malware | SpywareBlaster | WOT "There is a saying: yesterday is history, tomorrow is a mystery, but today is a gift. That is why it is called present." |
|
|
|
|
Feb 20 2009, 05:15 PM
Post
#5
|
|
|
I know the drill! Group: HJT Team Posts: 7,967 Joined: 24-July 08 From: London Member No.: 224,929 |
Lloyd,
You are assuming that people that are reading reviews know about the product but mainly the reason they are reading the review is because they don't. -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 09:21 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.