Rogue Anti-Malware Pushes Fake PCMag Review

Varzil found an interesting story about some "Rogue Anti-Malware" (which seems to me should just be called 'Malware') which modifies your HOSTS file to trick you into reading a fake anti-virus review which is of course for more malware. Modifying HOSTS is an old trick, but this is interesting because it's actually trying to get you to read fake content: normally this sort of trick is used to prevent you from fixing your computer, but this one is trying to get you to break it even more. I guess friends don't let friends modify their HOSTS files.

Five Stars!

[hendrix2k]

"which seems to me should just be called 'Malware'"

I dunno, this review I just read says Antivirus2010 is great!

hijacking AV sites too

[nine-times]

I've noticed this too, particularly surrounding Antivirus 2009. Not only do they hijack review sites to post positive reviews about Antivirus 2009, but they reroute traffic to legitimate antivirus software. So if you go to the website for AVG or Norton or something, it will point you towards downloading Antivirus 2009.

It's a nasty little bugger.

Checking out the IP address and domain

[Animats]

Let's see what we can find out.

We have an IP address for the server hosting the phony pages: "[217.20.175.74]". This is in DNS as "sweeper.globmail.org",

eNom, a favored registrar of bottom-feeders, is the registrar.

There's an address in Kiev, but it's bogus.

WhiteDomainsOrg
Reiterska 13
Kiev Kiev
01001
UA
Phone:+380.5490567

That's a bar in Kiev, Dveri (Door). It's about two blocks from the old US Consulate.

The upstream provider is "ge0.colo0.kv.wnet.ua". So this is a colocated machine at WNet in Ukraine.

The US FBI has a local office in Kiev.

This is something that could be cracked by motivated law enforcement.