Rogue Anti-Malware Pushes Fake PCMag Review

← Back to Stories (view on slashdot.org)

Rogue Anti-Malware Pushes Fake PCMag Review

Posted by CmdrTaco on Thursday February 19, 2009 @06:42AM from the well-now-isn't-that-clever dept.

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

6 of 90 comments (clear)

Min score:

Reason:

Sort:

Five Stars! by hendrix2k · 2009-02-19 06:52 · Score: 5, Funny

"which seems to me should just be called 'Malware'"
I dunno, this review I just read says Antivirus2010 is great!
hijacking AV sites too by nine-times · 2009-02-19 06:57 · Score: 4, Funny

I've noticed this too, particularly surrounding Antivirus 2009. Not only do they hijack review sites to post positive reviews about Antivirus 2009, but they reroute traffic to legitimate antivirus software. So if you go to the website for AVG or Norton or something, it will point you towards downloading Antivirus 2009.
It's a nasty little bugger.
1. Re:hijacking AV sites too by nine-times · 2009-02-19 07:03 · Score: 3, Informative
  
  I haven't really found any single solution to be good enough. Once you're infected with one of these things, it seems like the best idea is to either (a) wipe the drive and start over; or (b) download and install every malware/spyware/virus removal program that you can get your hands on, run them serially, and remove anything that any of them find. Ideally you run each from a live CD or something that doesn't allow the virus a chance to load before you can run the remover.
  And then to be really careful, run each of them again.
2. Re:hijacking AV sites too by Spazztastic · 2009-02-19 07:06 · Score: 3, Insightful
  
  To follow up on parent, if you work in a IT department where you can image computers, it's far more effective to just back up their files and reimage the computer. I've spent hours cleaning them only to (as a last resort) reimage the computer.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
Why aren't these people in jail? by tjstork · 2009-02-19 06:59 · Score: 3, Funny

I mean, come on.... this is just pure fraud.

--
This is my sig.
Checking out the IP address and domain by Animats · 2009-02-19 07:42 · Score: 4, Insightful

Let's see what we can find out.
We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",
eNom, a favored registrar of bottom-feeders, is the registrar.
There's an address in Kiev, but it's bogus.
WhiteDomainsOrg
Reiterska 13
Kiev Kiev
01001
UA
Phone:+380.5490567
That's a bar in Kiev, Dveri (Door). It's about two blocks from the old US Consulate.
The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet in Ukraine.
The US FBI has a local office in Kiev.
This is something that could be cracked by motivated law enforcement.