Misleading Software Spoofs ZDNet
by Frank Jovine on 02/21/2009 in Fake Antivirus, Security
Impersonation is a form of flattery by itself, however, not when it comes to the very latest round of rogue security software this time impersonating ZDNet, CNET’s and PC Magazine’s reviews section, making it look like legitimate and highly respected technology sites have actually reviewed and recommend the rogue security software.
According to Lawrence Abrams from Bleeping Computer the latest rogue security software Anti-virus-1 redirects infected users attempting to visit the sites to a legitimately looking reviews of the scareware. By using this novel approach the rogue software vendor’s aim is to add more legitimacy to Anti-virus-1’s existence in general. However, if they truly wanted to achieve better social engineering result, they could have at least used a more recent version of the impersonated sites.
Here’s how it’s done anyway:
Upon installation the software modifies the HOSTS file and redirects affected users attempting to visit the review sites to a centralized location used for the hosting and promotion of even more rogue security software:
O1 – Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 – Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 – Hosts: 217.20.175.74 a1.review.zdnet.com
O1 – Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 – Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 – Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 – Hosts: 217.20.175.74 www.reviews.download.com
O1 – Hosts: 217.20.175.74 reviews.download.com
O1 – Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 – Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 – Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 – Hosts: 217.20.175.74 reviews.pcmag.com
O1 – Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 – Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 – Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 – Hosts: 217.20.175.74 reviews.reevoo.com
O1 – Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 – Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 – Hosts: 217.20.175.74 www.reviews.techradar.com
And whereas modifying the HOSTS file is a bit of a noisy approach to hijack traffic, given the fact that end user managed to get — ironically — infected with a non-existent security software on their way to protect themselves from security threats, there’s a high chance that this HOSTS modification will remain undetected.
Source: ZDNet
Misleading Software Spoofs ZDNet
Feb 21st, 2009
[...] posted here: Misleading Software Spoofs ZDNet Categories : Business, Computer, Health, Phone, SEO, Sports, Technology, image, software [...]
Colin
Feb 21st, 2009
Hi Frank,
This is BAD news for everyone. To make it look legitimate through hijacking well respected sources makes this even worse. Now they have a new method of approach which could have lethal consequences for infected users.
I have added these into my Hosts file ready to implement after going around and rating them
May I have your permission to add this to my growing list of malicious sites /rogue software?
Frank J
Feb 21st, 2009
Colin,
It could even fool the tech savvy.
Hope all is well!
Colin
Feb 21st, 2009
It sure could Frank,
Reviews on each site comes after the .com/ or .co.uk/
I visited those listed and my AV went crazy a couple of times, so it would seem that some AV’s are picking them up, until such times as they modify the coding again so I will continue in my sandbox I think LOL
Have a good weekend
Frank J
Feb 21st, 2009
I saw that to and it really is getting annoying to see this happening as much as it does.
Cloudeight
Feb 23rd, 2009
The Windows HOSTS file has been always been a problem. You don’t need to spend time editing your HOSTS file. Create a new HOSTS file using Notepad – save the file – right-click it, select properties, and make it “READ ONLY”. Then no one or nothing can write to the HOSTS file. Problem solved.