CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
edit:
February 16th, @11:31AM
|  Beware these "fake" antispyware programs
Be very careful when using Google for Antispyware programs. It has been an increasing plague of fake and rogue antispyware apps trying to cash in on folks searching for legitimate programs and these "fakes" using deceptive ads to get them to their websites. Ben Edelman has just released a very comprehensive article.
Critiquing C-NetMedia's Anti-Spyware Offerings and Advertising Practices
»www.benedelman.org/news/021408-1.html
adware.pro
ad-warealert.com
adwarealert.com
adwarearrest.com
adwarebot.com
antispyware.com
antispywarebot.com
errorkiller.com
errorsmart.com
errorsweeper.com
evidenceeraser.com
free-pc-repair.com
free-registrysmart.com
macrovirus.com
malwarebot.com
privacycontrol.com
privacycontrols.com
regclean.com
regrecall.com
registrybot.com
registryclear.com
registrysmart.com
regsweep.com
remover.org
restore-pc.com
spywarebot.com
spywareremover.com
Related articles also here:
Anti-Spyware Company Accused Of Deception
»www.informationweek.com/news/sho···06600029
Ben Edelman targets C-NetMedia
»blogs.zdnet.com/threatchaos/?p=537
For this reason I always makes sure to supply the correct homepage URL with any recommendation of an Anti-Malware application. It's too easy to be "duped" by Google ads that try to deceive the unwary user.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| See also..
Rouge Antispyware Spotting
»www.f-secure.com/weblog/archives···380.html
>>
Video - Rogue Spotting Posted by Sean @ 10:47 GMT |
Better Living thru Search Engines
In July of 2006 we did some searching for potentially unwanted applications; recycled or repackaged applications that were of dubious value. Affiliate marketing is used to promote sales and unfortunately such systems often provide economic incentives to cheat.
Those earlier search results contain some links to known rogue antispyware sites, but in general it's mostly harmless optimization software. (The real value of which is unknown to us.) Interestingly, since 2006 there are now many French, Spanish, Italian, and German localizations in the results. Everything is localized except the Privacy Policy text we searched for.
Now to the present — being less interested in PUAs and more interested in known bad Rogues, we tried a few different searches last week.
Starting with a new Rogue (VirusHeat, circa Feb. 8th) we used this text from the affiliate page:
Being associated with one of the most known innovative software solutions developer
whose mission is to protect the privacy and security of Windows computer users.
The Google search results produced a number of known bad guys. Many of the search links are blocked by StopBadware.org.
Click the image below for an example of the recycling (animated GIF). Attack of the Clones:
»www.f-secure.com/weblog/archives···hots.gif
This Rogue list included applications that we've seen elsewhere. Where?
On a list of applications hosted by the Russian Business Network.
RBN is an infamous underground ISP that provides bulletproof hosting. The site www.antispyzone.com isn't among the results and the URL doesn't currently resolve (server not found). However, using the site's last known IP address from a list of RBN associated IP Addresses, we located the page.
It uses the very same text on its affiliate page. They're all bad Rogues…
You don't want to buy what they're selling.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
DownTheShore
Obama '08
Premium
join:2003-12-02
Edison, NJ
clubs:
| reply to CalamityJane
I use McAfee's free Site Advisor as my first level filter of any Google results. I find it to be pretty good for giving a head's up regarding dodgy sites.
--
Life is simply one damned thing after another. |
|
MarkAW
Call me lil bratt
Premium
join:2001-08-27
Canada
 ·Bell Sympatico
| I use TrendSecure's free TrendProtect as my first level filter of any Google results. 
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
delenn13
De gustibus nil disputandum
Premium,MVM
join:2006-03-02
Ridgeway, ON
clubs: | reply to CalamityJane
Thanks for the good read and warnings. I use Link Scanner . |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to CalamityJane
Filters are good You 3 are obviously "above average" on the security scene.
Unfortunately, for the average user most are not aware of them nor using them and sometimes the site scanners are slow to pick up on these deceptive type programs trying to copycat legitimate programs. I worry most about the increasing numbers of rogues and copycat programs that are misdirecting unsuspecting users to a site that is only there to provide a free "scan" that will of course turn up a number of suspects (some fake and false alerts too), but the user must pay to remove the malware. These guys are really getting unsuspecting folks who are told download Ad-Aware, Spybot, Defender, any recognized program and left to "google" for the link. We're seeing increasing numbers of people who have bought a program thinking it was the recommended one, only to find that a) they have to pay for it (the true free legitimate programs do not make you pay to remove the malware found) and b) it doesn't work, or worse, only finds false detections which could make matters worse.
That particular case Ben outlined is one company trying to cash in on folks getting misdirected via google ads.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH | reply to CalamityJane
I use common sense which seems to be forgotten by a lot of user's. |
|
mrchris
Stop deleting my posts
Premium
join:2002-10-01
North Babylon, NY | As do I. I only use those official listed on the daily Security forum sticky and keep away from stuff like that.
Death to RBN. |
|
aaron8301
I can't get myself to go away.
join:2005-01-03
Clarkston, WA
 ·CableOne
| reply to CalamityJane
The irony of the OP is that if you are reading this site you should already know to check with this site first for recommendations on software such as this before you use anything.
But regarding the OP, as I always say, "they wouldn't tell you that unless someone had done it."
--
There comes a point in your life when you get tired of fixing everything and wiping everyone's ass. But it’s not giving up. It’s realizing that you don’t need certain people and the bullshit and drama they bring to your life. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to DownTheShore
said by DownTheShore  :I use McAfee's free Site Advisor as my first level filter of any Google results. I find it to be pretty good for giving a head's up regarding dodgy sites. Site reputation and the Russian Business Network
The RBN allegedly owns and/or operates ASNs in the netblock 81.95.144.0/20. SpamHaus has a detailed report on the RBN, and they recommend blocking this entire netblock in their drop list. Krebs also provided a mapping of the RBN network with some address data that corroborates SpamHaus. Here’s a Domain Tools whois report on one of the ASNs inside of it.
Let’s look at a the distribution of categorized URLs and domains in the 8e6 Database from servers hosted in that netblock:
Malcode — 84.08%
BotNets — 5.22%
Porn — 4.62%
ChildPorn — 4.01%
Spyware — 1.34%
Phishing — 0.73%
I didn’t omit anything — that’s the whole list. Yikes! There is literally nothing on the network that has any redeeming value. I’m willing to bet that any IT Admin could legitimately make the case to the business folks that access to this whole netblock should be blocked. (We put all 4096 IPs from the block in our Bad Reputation Domains category.)
Now let’s see what McAfee’s SiteAdvisor has to say about the RBN.
I pulled an active porn site from our list of sites on the RBN. SiteAdvisor gives you the green light, and even gives the thumbs up on an executable hosted on that site. I don’t know about you, but I don’t care if that exe doesn’t hit one of McAfee’s signatures … it’s hosted by the bad guys! I don’t want any of my users to be able to download it.
To illustrate a more insidious problem, I looked up a dead IP in the netblock. As expected, SiteAdvisor shows a grey question mark icon and reports that it has not reviewed this site. While that’s certainly true, it’s not particularly helpful. Personally, I would be inclined not to trust whatever showed up on that IP in the future, because, once again, it’s owned by the bad guys.
I don’t mean to pick on SiteAdvisor; I like the concept behind that service. But my point here is that assessing site reputation is much more than relying on locating infected files and mapping links. It requires a cross-discipline approach, optimally involving data from more than one security vendor or research organization. Look for that from your vendors. Ask them who they’re partnered with and don’t accept the argument that one security vendor’s core competencies are enough to secure your entire infrastructure.
»8e6labs.com/2007/10/17/site-repu···network/
Note:
Russian Business Network: Down, But Not Out
»blog.washingtonpost.com/security···own.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Siko
Premium
join:2006-11-27
Mechanicsburg, PA
clubs: | reply to CalamityJane
If your reading this forum. then why would you need to google antispyware programs? |
|
therube
join:2004-11-11
Randallstown, MD | reply to CalamityJane
This site too, The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites. |
|
Wake2
join:2005-04-30
| reply to CalamityJane
Thanks Calamity Jane for a interesting read,
and thanks to NameGame to for the other links,
is interesting to isn't it the differing results
you get when you use programs like TrendProtect,
Site Advisor, and LinkScanner.
Regards,
Wake |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| reply to CalamityJane
here is another related article:
"Benedelman exposes CNetmedia shady practices"
»msmvps.com/blogs/hostsnews/archi···465.aspx |
|
DownTheShore
Obama '08
Premium
join:2003-12-02
Edison, NJ
clubs:
| reply to Name Game
Just to point out that I didn't say that Site Advisor was the only thing I relied on - I do use my brain, too. One of the rules my brain applies is that all porn sites will most likely do something nasty to my computer, so I simply stay away from them. 
I'm sure that none of these filters are perfect, especially since they just evolve by usage and reports. But they act as a good reminder to pay attention and not to automatically click on a site just because Google brings it up.
--
Life is simply one damned thing after another. |
|
MarkAW
Call me lil bratt
Premium
join:2001-08-27
Canada
·Bell Sympatico
edit:
February 17th, @01:13PM
| said by DownTheShore :Just to point out that I didn't say that Site Advisor was the only thing I relied on - I do use my brain, too. One of the rules my brain applies is that all porn sites will most likely do something nasty to my computer, so I simply stay away from them. I'm sure that none of these filters are perfect, especially since they just evolve by usage and reports. But they act as a good reminder to pay attention and not to automatically click on a site just because Google brings it up. Well said, i totally agree with you. Being a long time member here has showed me some of the In's and outs of what to look for when it comes to bad-ware and the only reason i posted that i use (Trendprotect) was to help those who are new who use google or what ever search engine to look for help, that there are programs out there that are safe to use that will help you to avoid clicking on those links that take you to these fake antispyware programs, well that and using your head of course.
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Siko
said by Siko :If your reading this forum. then why would you need to google antispyware programs? Good question. Perhaps you need to think in terms of the people we have reading here
(it's not just us, guys )
We get many visitors here who come in off of Google looking for security solutions. We also have many lurkers. And the DSLR site itself has members who come here for other reasons (speed tests, etc.) that can be quite unaware of such tactics as the one being used in the article Ben posted.
Another point to this topic is that those of us who DO participate frequently in these security topics are already in the know. And we often end up helping others just as we saw in these two older topics (also involving the copycat Spywarebot).
»something funny yet sad.
So, they also see the Google ads on this very site too!
»Rogue AntiSpyware Ads on DSLReports
and thirdly, these guys from C-netmedia have been operating in this manner for over a year and nobody has yet to come up with a very comprensive list so it's nice that Ben put it all together for us. It's our job also to watch out for others and make sure no one gets scammed by these types of schemes. This isn't the only one nor the first nor the last we will see. I think it's a good reminder that when you do recommend a remover or product to someone to use a link to an official download.
So you see, I'm almost always thinking of the folks who come here to learn about security and find these topics and hopefully, gain some insight from them
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire
·BTOpenworld
| reply to Siko
said by Siko :If your reading this forum. then why would you need to google antispyware programs? just to reiterate what CJ said and where OP misunderstood the scu faq and googled for a rogue antispyware
»Re: My experience in attempting to remove vundo
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006-2007 |
|
onebadmofo
Repost These Nuts In Your Mouth.
Premium
join:2002-03-30
Reading, PA
| reply to MagMan
said by MagMan :I use common sense which seems to be forgotten by a lot of user's. Which version are you using?  |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
edit:
February 17th, @05:44PM
| said by onebadmofo :said by MagMan :I use common sense which seems to be forgotten by a lot of user's. Which version are you using? Not the one you are.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
