Rogue Anti-Malware Pushes Fake PCMag Review

← Back to Stories (view on slashdot.org)

Rogue Anti-Malware Pushes Fake PCMag Review

Posted by CmdrTaco on Thursday February 19, 2009 @06:42AM from the well-now-isn't-that-clever dept.

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

21 of 90 comments (clear)

Min score:

Reason:

Sort:

Social Engineering by mc1138 · 2009-02-19 06:51 · Score: 2, Insightful

Spoofing of content is nothing new. Even using the hosts file like this to redirect you to fake content while an innovative use of the hosts file, is just a new trick for an old gag. The only real way to clamp down on something like this, is through the better education of the user base. So long as people still buy into these sorts of attacks, hackers and other people of ill repute will still commit them.

--
The musings of just another geek and his junk.
Five Stars! by hendrix2k · 2009-02-19 06:52 · Score: 5, Funny

"which seems to me should just be called 'Malware'"
I dunno, this review I just read says Antivirus2010 is great!
1. Re:Five Stars! by krenshala · 2009-02-19 06:54 · Score: 2, Funny
  
  /facepalm
  
  --
  krenshala
hijacking AV sites too by nine-times · 2009-02-19 06:57 · Score: 4, Funny

I've noticed this too, particularly surrounding Antivirus 2009. Not only do they hijack review sites to post positive reviews about Antivirus 2009, but they reroute traffic to legitimate antivirus software. So if you go to the website for AVG or Norton or something, it will point you towards downloading Antivirus 2009.
It's a nasty little bugger.
1. Re:hijacking AV sites too by mc1138 · 2009-02-19 06:58 · Score: 2, Insightful
  
  I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...
  
  --
  The musings of just another geek and his junk.
2. Re:hijacking AV sites too by nine-times · 2009-02-19 07:03 · Score: 3, Informative
  
  I haven't really found any single solution to be good enough. Once you're infected with one of these things, it seems like the best idea is to either (a) wipe the drive and start over; or (b) download and install every malware/spyware/virus removal program that you can get your hands on, run them serially, and remove anything that any of them find. Ideally you run each from a live CD or something that doesn't allow the virus a chance to load before you can run the remover.
  And then to be really careful, run each of them again.
3. Re:hijacking AV sites too by fpophoto · 2009-02-19 07:05 · Score: 2, Insightful
  
  I like that products such as spybot search and destroy, and malware bytes are ten times more effective at taking care of that than any antivirus product out there...
  
  That's because the nature of PC security has changed. Old school: Viruses to destroy computers. New school: Co-opt systems in order to sell a product or pimp out for botnet needs.
  
  It's kind of refreshing if you ask me. Not to say current malware is a giant headache, but at least the days of you getting your HD wiped are pretty much behind us. There's just no money in it.
4. Re:hijacking AV sites too by Spazztastic · 2009-02-19 07:06 · Score: 3, Insightful
  
  To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
5. Re:hijacking AV sites too by Vectronic · 2009-02-19 07:11 · Score: 2, Interesting
  
  Sad, but true... although somewhat understandable considering that an Anti-Virus primary function is to battle viruses, not ad-ware/malware.
  Could just as easily say "I like that products such as Kaspersky Anti-Virus are ten times more effective at taking care of that than any anti-malware product out there"
  However, the "suites" (ie: Firewall + AntiVirus + Ad/spyware, etc) are generally getting better at it.
  Also, their (the nasty people) gimmick is still rather effective, because the average user doesn't know the difference between malware/adware/virus/trojan/port:80/hijacker/psu... their little advertisements can say "You have malware, get this anti-virus software to fix it, it will extend the life of your PSU"... and then go "oh, ok"...
6. Re:hijacking AV sites too by Dragonslicer · 2009-02-19 09:36 · Score: 2, Funny
  
  download and install every malware/spyware/virus removal program that you can get your hands on
  I read about a great one in a PCMag review.
7. Re:hijacking AV sites too by andytrevino · 2009-02-19 11:16 · Score: 2, Informative
  
  I work at a university dorm as a network technician (UWM, incase you're wondering!), and fix ten to twenty computers a week infected with malware, often exactly this strain of rogue AV software.
  The utility called ComboFix almost always cleans these infections up with no hassle. If that fails, or if examination of the logfile indicates that it didn't quite get everything, MalwareBytes Anti-Malware should take care of the rest, and if anything gets past BOTH of those you can take note of the infected file names that couldn't be removed and delete them from Knoppix or a BART LiveCD.
  I only reinstall Windows as a last resort, or if ComboFix detects an unremovable rootkit (this can be found in the logfile.)
Why aren't these people in jail? by tjstork · 2009-02-19 06:59 · Score: 3, Funny

I mean, come on.... this is just pure fraud.

--
This is my sig.
1. Re:Why aren't these people in jail? by jetsci · 2009-02-19 07:01 · Score: 2, Informative
  
  I imagine most of these folks operate outside of US jurisdiction(yes, there is a world beyond your borders). Take some international law classes and you will understand. Imagine extraditing these guys from China? Goodluck!
  
  --
  Bored at work? Play Game!
2. Re:Why aren't these people in jail? by Spazztastic · 2009-02-19 07:13 · Score: 2, Insightful
  
  I'm pretty sure most other countries now have laws against malicious hacking, and also jails. Or are YOU implying that the U.S. is the only country technologically advanced enough to bust people for such activities?
  I think you're making a flamebait post.
  Parent said that it's hard to extradite people and not all of them will pursue it because they have more pressing matters at hand such as food shortages, natural disasters, and civil war.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
An Interesting Way to Go For Intermediate Users by damn_registrars · 2009-02-19 07:03 · Score: 2, Funny

It appears that this is more of an attack on intermediate users than the usual attack that goes for newbies. After all, if a PC is infected, a newbie would not likely look to PC Magazine for antivirus information; they'd more likely bring it in to Best Buy and pay the Geek Squad an exorbitant amount of money to fix it (or they would put in the restore CD and try to start over from scratch).

An advanced user (if they were running windows for some reason) likely wouldn't look there, either, as they would have likely just run the update program for the software that they already installed for taking care of such things.

This of course follows well the old adage

A little knowledge is a dangerous thing

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:An Interesting Way to Go For Intermediate Users by presentchaos · 2009-02-19 13:16 · Score: 2, Funny
  
  This is somewhat off topic, but I was just having a conversation with someone who is about to buy a Mac. I was against it and an argument started. I said there were too few people supporting the Mac. He responded, "When was the last time you heard of a virus on a Mac?" And I said "See, even people who write viruses don't support Macs."
Fake Advertizing for False Products by Bushido+Hacks · 2009-02-19 07:13 · Score: 2, Interesting

Call it something similar to the story of the Emperior who has no clothes, but have you ever wondered when watching a commerical with a bogus product they say "We've been featured on CNN, Fox News, and Oprah"? Because they are ADVERTIZING in the commerical breaks that are on CNN, Fox News, and Oprah.

Why are we supposed to believe that just because they bought advertizing time in the commerical breaks of networks and TV shows that they were actually endorsed or had an interview featuring their product?

When was the last time you saw Oprah endorse the MagickJack or Vince Offer (the Sham-Wow guy) talk to Larry King in person? It is because it never happened.

Many networks broker their commericals through an advertising firm. Which explains why alot of shady businesses (e.g. the WorkAtHome46dotcom folks and the Obama Coin scammers) are on Television.

Had the 419 scammers been more successful, they would have had TV commericals or establish a shell business posing as a bad bank.

The best advice would be not to buy it.

--
The Rapture is NOT an exit strategy.
Checking out the IP address and domain by Animats · 2009-02-19 07:42 · Score: 4, Insightful

Let's see what we can find out.
We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",
eNom, a favored registrar of bottom-feeders, is the registrar.
There's an address in Kiev, but it's bogus.
WhiteDomainsOrg
Reiterska 13
Kiev Kiev
01001
UA
Phone:+380.5490567
That's a bar in Kiev, Dveri (Door). It's about two blocks from the old US Consulate.
The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet in Ukraine.
The US FBI has a local office in Kiev.
This is something that could be cracked by motivated law enforcement.
1. Re:Checking out the IP address and domain by myowntrueself · 2009-02-19 08:27 · Score: 2, Insightful
  
  This is something that could be cracked by motivated law enforcement.
  "motivated law enforcement"?
  Is that one of them thar "oxymaroons"?
  
  --
  In the free world the media isn't government run; the government is media run.
Tea Timer by SpectreBlofeld · 2009-02-19 07:55 · Score: 2, Informative

For Windows, I recommend using Tea Timer, an extension to Spybot S&D. It sits in memory and monitors system files, including the HOSTS file, and alerts the user when another program is attempting to alter it, or add processes to startup, etc.
http://www.safer-networking.org/en/faq/33.html
How Is This Possible? by Bob9113 · 2009-02-19 08:00 · Score: 2, Informative

which modifies your HOSTS file
How could that possibly happen? My hosts file (presumably like the hosts file on any rationally configured system) is owned by root and mod 644. Is this script doing privilege escalation? Or is it actually common for some computers to leave hosts modifiable by an unprivileged user?
Obviously I'm being a bit facetious, but let's give a little credit where credit is due - this rogue program is not the worst of the malware in the formula. The worst malware is the program (whether that program be an OS, an installer, or simply a set of memes running on the wetware of our society) that leaves hosts editable by unprivileged users, or which leads to privileged users running untrusted software.
This rogue program is like salmonella - it is taking advantage of poor practices like not cooking meat thoroughly. Blaming this software is like blaming salmonella. Damn you salmonella! It does not grant sufficient credit to the program (or OS, or meme, or OS installer) which is actually to blame.

--
Stop-Prism.org: Opt Out of Surveillance