Rogue Anti-Malware Pushes Fake PCMag Review

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

Checking out the IP address and domain

[Animats]

Let's see what we can find out.

We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

eNom, a favored registrar of bottom-feeders, is the registrar.

There's an address in Kiev, but it's bogus.

WhiteDomainsOrg
Reiterska 13
Kiev Kiev
01001
UA
Phone:+380.5490567

That's a bar in Kiev, Dveri (Door). It's about two blocks from the old US Consulate.

The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet in Ukraine.

The US FBI has a local office in Kiev.

This is something that could be cracked by motivated law enforcement.