FakeAV promo site exposed
Scareware (aka “rogue software”, aka FakeAlert, aka FakeAV) has been a growing trend in the recent months. This lucrative “business” generates multi-million dollar revenues today and shows no signs of slowing down.
Occasionally we get a glimpse of how these guys are operating. Most recently, a Russian hacker was able to get inside one of these affiliate networks revealing some of the information they would rather keep secret. The results of this operation were well covered by our colleagues from SecureWorks.
Luckily, we do not always have to rely on this type of underground activity to get the information. Sometimes, the guys on the “dark side” are careless enough to leave the clues out in plain view.
At SophosLabs we track a few dozen websites created each day to promote and sell the “scareware”. These domain names cover shopping and billing sites as well as the so-called “promos”. The most common kind of promo is a fake “porn tube 2.0″ website, which offers free adult videos and demands you to upgrade a codec or the Flash Player software. Instead of a real codec you install something that tries to scare you into purchasing fake security software.
We came across one of this promo sites which was left abandoned since August this year and lets anyone browse through the entire site directory.
The first thing we spotted in the pile of adult content was a screenshot of some admin tool showing how the traffic for the website is filtered:
You can see that access from former Soviet republics and China gets blocked. The same goes for visitors with Russian, Belorussian and Ukrainian language settings in their browser. We saw similar behavior in the software itself: it tries to detect your national identity and kills itself if you are a Russian.
And here is another image we didn’t expect to find on the site (click to enlarge):
It appears to be a screenshot taken on a laptop PC. It features a browser pointed at RefreshStats.com, which is yet another “codec-partnerka” business — an affiliate network selling rogue software.
The page on the screenshot shows daily statistics for this individual’s account. The number of visits, “conversions” (people who installed the software) and the $$ made on the traffic. An average for $300 USD per day? Not too bad, considering that it’s likely one of many affiliate networks this individual directs his traffic to. For example, you can see another “partner” site called Go-Go-Cash in the Bookmarks toolbar.
Why would they leave a screenshot like this on a promo site? I have no doubt that these guys would prefer to stay anonymous, even thought there is little chance they’ll ever be punished for what they’re doing. But even a single mistake like this can reveal quite a bit more than they’d like. For example, the ICQ button on the taskbar clearly identifies who this person was communicating with, and it was easy to find his real name on ICQ People Find. Can he be in this business as well? We do not know, but the company he formerly ran was developing software that some considered to be spyware. But lets keep digging through…
One of the archives on the site contained the source code of PHP backend software called “Gary Redirect System Admin v1.0″. This software is apparently a common part of the FakeAV and PornTube site deployments and is used to track website visitors and measure what “niche” areas borough more traffic.
The screen shows the last login attempt, presumably from the site’s owner. His IP address that we carefully masked points to an ADSL network in St. Petersburg, Russia. No further comments.
We are often being asked whether this activity is legal and if it can be stopped through legislation. The affiliate promotion mechanism surely makes it hard to assign blame to anyone specifically. The “webmasters” who participate in the FakeAV promotion do not see as it as a criminal activity: they simply direct the traffic from their adult sites somewhere else. And the group that writes the software and runs the business may have an excuse too: some FakeAV software even contain rudimentary virus detection ability, which doesn’t make it a real anti-virus program, but will sure make any sort of court battle more difficult. And finally, by not targetting Russian audience, there is little chance of a lawsuit being opened based on complaints from outside of Russia.
Posted on December 3rd, 2008 by Romana Ward, SophosLabsFiled under: General, Malware
Free virus scan - Download the Sophos Threat Detection Test
