Introducing: Roguevertising
A new term in the rogue industry – written by Bart Parys
Today I will be talking about a new trend that spreads itself quite quickly throughout the internet.
In this document I will try to explain what it is all about and provide additional information like screenshots and measures that can be taken to tackle these threats.
It all started when I found a new rogue domain:
hxxp://antispyware.com
Antispyware2010 website
The following domains are associated with Antispyware.com:
hxxp://antispyware2009.com
hxxp://Errorsmart.com
hxxp://Registryclear.com
hxxp://Remover.org
They all introduce the same ‘product’ – to perform a scan for malware on your computer. You can even request Live Technical Support.
(No, not really, it will just refer you to the download page)
When you download their product, you can find the following setup file in your chosen download folder:
setupxv.exe
Pending on the website you landed on, you can also download another file called setup.exe
The file setupxv.exe has currently a 53.66% detection ratio on VirusTotal. The classification most used included the name Fakealert:
VirusTotal Result
It is also possible you download a file with the same name (setupxv.exe) but with slightly changed binaries. You can find an example of this on VirusTotal:
VirusTotal Result
For more information about this rogue program and the others described down below, I refer to the end of this document, where you can find some screenshots of my findings.
Then, after performing some Google searches on fake testimonials and information taken from their website , I landed on the following rogue domain:
hxxp://againstadware.com
AgainstAdware website
Unfortunately, you cannot download their product anymore, as the setup file has been removed.
The following domains are associated with Againstadware.com:
http://Fileboxx.com
http://Incredible-mail-download.com
http://Secureoneantivirus.com
http://Wincleanerpro.com
Now, why am I introducing the term roguevertising ?
You might have heard about malvertising. Malvertising (short for Malicious Advertising) is a term used for malicious advertisements that are clicked on, and can deliver a drive-by-download or suggesting to install a certain program to clean and scan your computer.
These days I have found a lot of websites using malvertising for rogue security software. That is how the term roguevertising was born.
A few examples of these websites:
hxxp://www.hopelinenc.org/forum/anti-spyware
hxxp://www.thedietsolutionprogram.ws/weblog/anti-spyware
hxxp://www.thedietsolutionprogram.ws/rating/anti-spyware
hxxp://www.perfectoptimizer5.com/?hop=aseafood
hxxp://www.bestspywareprogram.net
Along with legit Antispyware applications, you can find “Antispyware” between the list with … an advertisement leading to the download link of the rogue. (Done through an advertising mirror)
hxxp://threats.browsetag.com/antispyware
hxxp://www.plrarticlesoftware.biz/forum/anti-spyware
hxxp://www.earth4energyoffical.com/weblog/anti-spyware
hxxp://www.earth4energyoffical.com/article/adware-alert
hxxp://www.earth4energyoffical.com/article/privacy-control
hxxp://www.theaffiliatecode.ws/weblog/anti-spyware
hxxp://www.legitonlinejobshome.com/tags/anti-spyware
Additionally, I stumbled upon the following rogue domain:
hxxp://spywareremover.com
SpywareRemover website
When you download their product, you can find the following setup file in your chosen download folder:
Setupxv.exe
That’s right. Setupxv all over again, but with a different icon and again changed binaries.
The file setupxv.exe has currently a 39.02% detection ratio on VirusTotal. The classification most used included the name AdSpy:
VirusTotal Result
Do you surf the internet ? Does your PC run slow ? Do you get bombarded with annoying pop-up ads ?
Then you are most likely to land on the following page:
AdwareAlert website
Yet again, setupxv is presented to you with a nice new icon:
Current VirusTotal detection rate is 48.78% . The file was again changed to avoid detections by Antivirus software. (also introduces another GUI as noted at the end of this document)
VirusTotal Result
The setupxv rogueware campaign is on a roll, down below some associated domains with AdwareAlert.com:
hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywarestop.com
Next rogueware domain on our list is:
hxxp://www.antispywarebotpro.com
AntiSpywareBot website
As always your download is free as well as the malicious payload:
Setupxv.exe
Current VirusTotal detection rate is 48.78% .
VirusTotal Result
Related domains in this case are:
hxxp://mail.remover.org
hxxp://www.privacycontrolpro.com
hxxp://errorsweeperpro.com
hxxp://Regcleanlite.com
hxxp://www.browsetag.com/spyware/virus/threats
hxxp://support.browsetag.com/certified/antispyware
hxxp://www.spywarenuker-gary.com/blog/anti-spyware
hxxp://www.spywarenuker-gary.com/blog/adware-alert
As you might have noticed, roguevertising is appearing on these last pages. Spywarenuker Gary needs to find another name, as his directory is filled with malicious advertisements and bloatware:
Part of a roguevertising directory
I have also gathered the following URLs which are also related to the setupxv rogueware campain:
hxxp://adwarealert.com
hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywareremover.com
hxxp://Spywarestop.com
One of the rogues download above, again setupxv:
Setupxv.exe
This new version of setupxv only has a 4.88% detection ratio on VirusTotal:
VirusTotal Result
… and delivers you the program RegClean
RegClean Setup Wizard
The following rogue that you might remember is Spyware Cease:
hxxp://www.spywarecease.com
SpywareCease website
SpywareCease comes in the following setup file:
It has currently a 12.20% ratio on VirusTotal:
VirusTotal Result
Associated domains and roguevertising links for Spywarecease.com:
hxxp://www.spycease.com
hxxp://www.micronichefinderhome.com/blog/spyware-cease
hxxp://entrepreneur.useoursite.com/go.php?p=SSPYKILLER
hxxp://offto.net/SpywareCease_4ee8
hxxp://viral-link-exchange.info/clickbank-supercenter/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.cheapsale.org/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.easyfixcomputersolutions.com/home.php
hxxp://www.easydigitalsales.com/33027/Spyware-Cease—1-Converting-Anti-Spyware-Software.html
We are moving on to the last roguevertising campaign, brought to you by 007 Anti-Spyware.
I stumbled upon this one while investigating the SpywareCease roguevertising campaign.
hxxp://www.007antispyware.com
Unfortunately (or luckily) this site was down at the time of writing, but I found a roguevertising domain for this one:
hxxp://007antyspyware.blogspot.com
007 Anti-Spyware website (blog)
The blog provides an ad-provided mirror for the setup file 007antipsyware.exe
007antipsyware.exe
The file has currently very low detection ratios on Virustotal. Only 4.88% of the scanners detect it,
namely as Adware.SpywareCease. Rings a bell somewhere…
VirusTotal Result
But the fun is not over yet. When visiting this roguevertiser’s Twitter page, you can install the Googod toolbar. Now we can add spyware on the list, since the Googod toolbar is copyrighted under
Conduit Ltd., which is renowned for its spyware activities. This toolbar is available for Internet Explorer, Mozilla Firefox and Safari.
hxxp://www.googod.ourtoolbar.com
Googod toolbar website
2.44% on VirusTotal
VirusTotal Result
Conclusion
Although malvertising is not a new concept, roguevertising however is.
I hope that throughout this document it became a bit clearer what it is all about and how only one rogueware campaign is and will be able to infect a lot of users.
No, the rogueware will not clean nor speed up your computer.
Pushing rogueware downloads through advertisements on weblogs, bloatware websites or even on Google, will be a phenomenon we have to deal with. In this case the setupxv rogueware campaign was able to spread itself through different domains, which can attract users to actually download and install the software.
But there might be hope.In my opinion can websites like Antispyware.com be prevented by ever seeing the light: register domains that can be used for roguevertising. In this case, the setupxv creators would not have been able to register this domain, and users would get a message stating the website is under construction, for example or it is registered for the single purpose of stopping websites like this.
Another option would be for the domain linking to an AntiVirus vendor, as described below.
After all, the site Antispyware.com website sounds legit, and when you visit the site, the user will not notice anything suspicious. For example Antivirus.com is registered to TrendMicro.
When you look up Antispyware.com however, you get a 32 % dangerous rating on URLVoid:
URLVoid Result
Tools like Web Of Trust (WOT) can prevent you from landing on sites like Antispyware.com.
Other manners to prevent this can either be hostfile-based or user-based.
Examples can be MVPS Hosts or Sandboxie. Common sense however will always be the most important factor, just remember the following rule: if it looks like a rogue, it probably is !
This does of course not imply that every suspicious looking program is malicious, rather perform some checks with your favorite search engine or use URLVoid and VirusTotal as a reference.
Further rogueware screenshots are provided down below. Thank you for reading.
007 Antispyware
Setup screen
Shortcut icon
Interface
Adware Alert
Setup screen
Shortcut icon
Interface
Antispyware 2008
Setup screen
Shortcut icon
Interface
007 Antispyware
Setup screen
Shortcut icon
Interface
Thanks
!