Friday, December 25, 2009

Anti-Virus Live 2010. Talking with the enemy

Generally one has the false belief that malicious code is trivial that any technical problems solved by just formatting the system or acquire any of the known anti-malware market offers today.

However, on the one hand, the reality is that behind the development of malware hides a very large business in which every day must be added more "associates". Moreover, what happens when we plan to buy this antivirus is just the opposite.

This is the case of the Anti-Virus Live 2010 or what is the same, Anti-Virus Elite 2010 malware scareware type (or rogue), which makes it quite evident that the processes and mechanisms by which deceives order to steal your money are well oiled and well thought out.

At first instance, as is usual in this type of threat, the strategy is supported by a website that is used to "bait" to lure potential victims, saying all sorts of justifications to "prove" some credibility on the false antivirus, which complements a typical disinformation campaign.

So far, nothing interesting. Except for the possibility of requesting assistance via chat. Interesting. Then check if this condiment is legitimate ... Yes it's.

Consequently, communication was established through this option with the surprise that immediately got response from the other side. You can then take the short conversation via chat.

We basically said Dennis, the merchant, which among other things the course antivirus is compatible with all versions of Windows, its value is USD 27, which only supports English and no enterprise version and no problems eliminating conficker.

Let us briefly discuss these points. Obviously, the scareware must be compatible with all versions of Windows as it's this time the audience that the threat is directed. Why? Simply because more than 80% of people use Windows as the main operating system in home environments where the potential for finding a particular victim increases. This way is much more likely "to close business."

For the same reason there isn't version for GNU/Linux, even, not even version oriented businesses; because usually, the companies have a higher level of security where probably the scareware not find results.

Why English and not Russian? Because English is the third most popular language. Its cost, USD 27, represents a competitive value that's commensurate with the average cost of legitimate antivirus programs. And regarding conficker, whether by koobface wondering, the answer would have been the same.

A very interesting fact that helps to understand its true magnitude of the illegal business of malware, is the error committed by the "affiliate" Dennis when requesting the URL to buy a false solution. It gives us the url and time of comment that is not in question the supposed solution, offering the proviso the corresponding url.

However, we were trying to close "business" by Anti-Virus Live 2010 and not Anti-Virus Elite 2010, making it clear that this is the same threat under different names. Even the same "partner" manages and markets various alternatives under similar mode. In this case, also offering the fraudulent sale of Registry Fix, another associated with NoAdware and scareware ErrorClean.

From a technical point of view, the domain of this threat is in the IP address, hosted by the ISP Rackspace, located in the city of Hoboken in the United States under AS27357.

According to the history of this AS, the activities generated by malicious code are important

From the website you download an executable named setup.exe (MD5: C50DC619E13345DEC2444B0DE371DFD4) which corresponds to scareware installer with a low rate of detection.

As we see, the cybercriminals don't get tired of spreading increasingly aggressive threats that accompany the infection process through marketing campaigns, even very similar to those used by many antivirus companies.

Related information
A recent tour of scareware XIX
Green IT utilizado para la propagación de scarewar...
Scareware. Repositorio de malware In-the-Wild
Scareware. Estrategia de engaño propuesta por Personal Antivirus
Campaña de propagación del scareware MalwareRemovalBot

Jorge Mieres
Malware Intelligence Blog

No comments: