Rogue security software spoofs ZDNet Reviews

Rogue security software spoofs ZDNet Reviews

Summary: Impersonation is a form of flattery by itself, however, not when it comes to the very latest round of rogue security software this time impersonating ZDNet, CNET's and PC Magazine's reviews section, making it look like legitimate and highly respected technology sites have actually reviewed and recommend the rogue security software.

SHARE:
TOPICS: Security
5

Impersonation is a form of flattery by itself, however, not when it comes to the very latest round of rogue security software this time impersonating ZDNet, CNET's and PC Magazine's reviews section, making it look like legitimate and highly respected technology sites have actually reviewed and recommend the rogue security software.

According to Lawrence Abrams from Bleeping Computer the latest rogue security software Anti-virus-1 redirects infected users attempting to visit the sites to a legitimately looking reviews of the scareware. By using this novel approach the rogue software vendor's aim is to add more legitimacy to Anti-virus-1's existence in general. However, if they truly wanted to achieve better social engineering result, they could have at least used a more recent version of the impersonated sites.

Here's how it's done anyway:

Upon installation the software modifies the HOSTS file and redirects affected users attempting to visit the review sites to a centralized location used for the hosting and promotion of even more rogue security software:

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com O1 - Hosts: 217.20.175.74 a1.review.zdnet.com O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com O1 - Hosts: 217.20.175.74 www.reviews.download.com O1 - Hosts: 217.20.175.74 reviews.download.com O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com O1 - Hosts: 217.20.175.74 reviews.pcmag.com O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com O1 - Hosts: 217.20.175.74 reviews.reevoo.com O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk O1 - Hosts: 217.20.175.74 www.reviews.techradar.com

And whereas modifying the HOSTS file is a bit of a noisy approach to hijack traffic, given the fact that end user managed to get -- ironically -- infected with a non-existent security software on their way to protect themselves from security threats, there's a high chance that this HOSTS modification will remain undetected.

This "visual social engineering" approach is perhaps one of the key success factors for the rise of rogue security software. From the real-time scanning applets showing how badly affected a visitor is, to the bogus software rewards and awards the application has already won by using , vendors of rogue security software know the value of "what you see is what you get", or at least we want you think so.

From a psychological perspective, the rise of rogue security software demonstrantes the end user's impulsive decision making based on the oldest known motivation factor - fear which in 2009 is transformed into fear of losing data. And while in the past cybercriminals used to brandjack legitimate security software, today's revenue-sharing affiliate based model for spreading rogue security software is in fact building new brands that despite their short product cycle are already affecting hundreds of thousands of users.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Message has been deleted.

    David Grober
  • RE: Rogue security software spoofs ZDNet Reviews

    Someone needs to track down this company and punish them for what they are doing.
    docqualizer
  • RE: Rogue security software spoofs ZDNet Reviews

    So, Dancho Danchev, it sounds like you are saying that to get rid of the "infestation" all you have to do is edit the HOSTS contents and a computer is clean.
    I am aware that this is not something recommended for a novice.
    Will Anti-virus-1 get into the registry or somehow into the kernel?
    How do we get rid of it?
    Any reply would be appreciated.
    zanderqin
  • RE: Rogue security software spoofs ZDNet Reviews

    There are several free apps out there that will help you get rid of this. I work for a state institution and we are working on getting an Enterprise package for spyware. But I am sure we will still need to use 1 or more of our free apps to get rid of alot of these and other new ones coming around.
    Most can be found on ZDNet's Download.com.
    1. Spybot Search & Destroy (Advanced Mode for serious issues) You can not only kill entire processes, but the modules of NON killable processes. And a way to get rid of Active X and Browser Helper Objects.
    2. AdAware. Pretty straight forward apps.
    3. Super Anti Spyware. (I know the name is silly, but it does a good job)
    4. Malware Bytes. This one will get the really tough ones. But for some reason misses some of the more common ones.

    Using just 1 of these will not be suitable for most. We usually don't get the call until after a PC has been screwed up for a week and the user says it is unbareable. And since our service is free, they could care less.
    dbisse
  • RE: Rogue security software spoofs ZDNet Reviews

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut