These rogue anti-spyware programs seem to multiply like rabbits. Just 2 days ago I wrote about Spy-Shield, an anti-spware app that installs adware from BestOffersNetwork Then yesterday SunbeltBLOG featured another new rogue anti-spyware app named BraveSentry. The Sunbelt researchers found a domain running exploits and force installing not just one rogue anti-spyware app but two. Maybe pushers thought two rogues would be more convincing to frighten the user into buying one of them? The domain running the exploits is a known CoolWebSearch domain, Game4all(dot)biz (link to whois) which is hosted in Russia. SunbeltBlOG has screenshots of the hijacked desktops with BraveSentry and AlfaCleaner. The BraveSentry website is hosted at InterCage, formerly Atrivo, which I blogged about previously, and its neighbor on the same IP (69.50.166.195) is anosurfer.com, another site for SpySheriff. (Links are to whois info, not to the sites.)
And… speaking of SpySheriff, which got number 2 place on the top 10 rogue anti-spyware of 2005, another SpySheriff clone emerged today - PestWiper, which also "happens" to be hosted at InterCage.
Wouldn’t you know it, there’s already a complaint on an anti-spyware forum about being hijacked by BraveSentry. I wouldn’t be surprised to see similar complaints about PestWiper soon. I believe the Antispyware Conspiracy that Mark Russinovich (of Sony DRM rootkit fame) wrote about here is very real.
On a side note, I received an email today from a vendor whose anti-spyware program is listed on the Rogue/Suspect Anti-Spyware page. He was, of course, complaining about his product being listed, but one of the statements in is email really got my attention:
In our opinion, the Adware is one of the best ways to advertise antispyware product because users who got Adware would need a way to clean and protect their computers.
If I understand that correctly, he is saying that it’s not only ok, but good, to use adware to advertise antispyware products. Fascinating, isn’t it? And that’s not one of the problems noted with his app, either. Not yet, at least…
If anyone lands here from a search engine and has been hijacked by any of the above mentioned rogues, you can get help with removal at one of the anti-spyware sites listed on this page.
