I don't know if these rogue anti-spyware/spyware pushers are getting desperate, or they think no one will notice, but super rogue Razespyware, which earned a place on the top 10 rogue anti-spyware of 2005, has a new very dirty and very deceptive trick to frighten users into paying for the software. I read where someone called these apps ransomware, which is quite appropriate given their behavior. SunbeltBLOG has posted screenshots and an explanation of this trick, along with some information about who might be behind it. Researcher Adam Thomas wrote:
For the past week, our Spyware Research team has been observing Raze Spyware being silently installed without user consent through various exploits. Raze Spyware is already a long time member of Eric Howes Rouge Anti-Spyware products list. Dubious installation methods are a common practice for these Rouge Anti-Spyware applications. To make matters worse, we have also found a fake keylogger being installed alongside of Raze Spyware! The program then alerts the user that they are infected with the "keylogger".
The fake keylogger is named keylogger32.exe. But it doesn't stop there. The infected machine was noted to transmit data to the pills-catalog.net domain where a bot-net controller was revealed. Note the screenshots of the warning about the fake keylogger and of the bot-net controller in action.
Who might be behind this egregious trick? Sunbelt posted the domain names and whois information. Razespyware.net (link to whois) is registered to an outfit called Painter Co.
Domain Name: RAZESPYWARE.NET
255 West 36 Street New York , NY 10018-7555
The domain pills-catalog.net (link to whois) shows:
Domain Name: PILLS-CATALOG.NET
Colonnel By Hall A510
I have no idea if this registration info is accurate or not. If anyone has knowledge of those addresses, I'd be interested.
So where are these websites hosted? Razespyware.net is hosted at IP address 184.108.40.206, according to whois.sc, and located in Parsippany, New Jersey according to dssstuff.com. It apparently belongs to Net Access Corporation. Pills-catalog.net is shown by whois.sc to be at IP address 220.127.116.11 and belongs to InterCage, Inc. in Concord, California. InterCage was mentioned as hosting the domains of other super rogue anti-spyware apps, too. Both domain names were regsistered through Estdomains. Estdomains.com is registered to InterCage as well, and the website at IP 18.104.22.168 appears to be hosted by InterCage.
My advice to anyone who is infected with Razespyware, after getting your machine cleaned up, is to file reports with the Federal Trade Commission using their Comsumer Complaint form here, and to the Center for Democracy & Technology (CDT) here. Companies perpetrating these egregious spyware tricks need to be stopped.