Fake A/V Scamware

I’ve been tracking the rash of fake A/V scamware since last fall and while most of these are probably out of commission, the list below provides a glimpse into the creative (or lack thereof) domain names that are popping up daily. I’ve not had a chance to cross-reference this list with Dancho Danchev’s, but may try if the campaign keeps building steam. I’ve typically been submitting 3-10 copies of the malicious executables a day to Virustotal with disappointing results (3/38 vendors catching them typically). So not only are the domains shifting just enough to inhibit prevention, the payload is as well.

If you’re unfamiliar with the scam, good on you. Typically, you’d be surfing the web and get a pop-up stating that your machine is infected. The browser would then display a page that looks eerily similar to Windows “My Computer” being scanned for infections and infections being detected. The tip off here is that all of this occurs within the browser…so being a little observant would go a long way to keeping your machine clean. If you follow the social engineering attempt, you’ll download an executable which, when run, will install the fake A/V software. It will then make your life a living hell telling you your machine is infected and it must be cleaned…which will require you to register the software. Paying into the scam will not get your machine clean and since you’re providing credit card information to do so, it’s potentially going to cost you a lot more than the $40 or $50 they want initially.

If you see any activity like this while surfing the web, Alt-F4 (close active window shortcut in Windows) is your best friend.

The last numbers I saw were from Panda Security via The Register and estimated it to be a $15 million/month campaign, and that was in August 2008. From the traffic I see, the malicious domains serving the infection have not slowed down since then.

5avscan[.]com
advanced-anti-virus-scanner[.]com
advanced-antivirus-scanner[.]com
advanced-scan[.]com
advancedproscan[.]com
advancedscanner[.]com
anti-virus-computer-scan[.]com
anti-virus-defence[.]com
anti-virus-live-scan[.]com
anti-virusproscan[.]com
antispyware-dl[.]com
antispywareinternetproscan[.]com
antispywareonlinescanner[.]com
antivirus-best-scanner[.]com
antivirus-bestscanner[.]com
antivirus-computer-scan[.]com
antivirus-fast-scanner[.]com
antivirus-live-scanner[.]com
antivirus-online-proscan[.]com
antivirus-pc-full-scan[.]com
antivirus-pro-scan[.]com
antivirus-pro-scanner[.]com
antivirus-proscan[.]com
antivirus-protectionscan[.]com
antivirus-quickscan[.]com
antivirus-rapidscan[.]com
antivirus-scan-your-pc[.]com
antivirus-secure-scanner[.]com
antiviruscomputerscan[.]com
antivirusdefense[.]com
antivirusfastscan[.]com
antiviruspcfullscan[.]com
antivirusprofessionalscan[.]com
av-2009[.]info
av10antivir[.]com
best-anti-virus-scan[.]com
best-antivirus-2010-download[.]info
bestanti-virusscanner[.]com
bestantispywaresecurityscan[.]com
bestantivirusquickscan[.]com
bestantivirusquickscan[.]com
bestantivirusscanner[.]com
bestscan4[.]com
computerantivirusproscan[.]com
computerantivirusscanner[.]com
computerfastscanner[.]com
computerquickscanner[.]com
download-antivirus2010[.]info
download-best-antivirus2010[.]info
fast-antispyware-scan[.]com
fast-antispyware-scanner[.]com
fast-antivirus-pro-scan[.]com
fast-antivirus-pro-scanner[.]com
fast-antiviruspro-scan[.]com
fastantispywaredefense[.]com
file.proas2009download[.]com
files.proas2009-dl[.]com
full-antivirus-scan[.]com
internetantispywarescan[.]com
internetantispywarescanner[.]com
internetsecureddownloads[.]com
internetupdateserver[.]com
live-antivirus-scanner[.]com
live-antiviruspc-scan[.]com
live4scan[.]com
liveantispywarescan[.]com
liveantiviruspccheck[.]com
liveantiviruspcscan[.]com
liveantivirusscanner[.]com
online-antivirusscanner[.]com
online-pc-virus-scanner[.]com
online-securityscanner[.]com
onlineantivirus-scan[.]com
onlineantivirus-scanner[.]com
onlinepcvirusscanner[.]com
onlinesecurityscanner[.]com
onlinevirusbuster[.]com
pc-anti-virus-scan[.]com
pc-antispywarescanner[.]com
pc-security-scan[.]com
pc-security-scanner[.]com
pcantivirusscan[.]com
pcantivirusscanner[.]com
pcsecurityscanner[.]com
premium-advanced-scan[.]com
premium-antispyware-scanner[.]com
premium-antivirus-scan[.]com
premium-online-scanner[.]com
premiumadvancedscan[.]com
premiumadvancedscanner[.]com
premiumantivirusscan[.]com
premiumantivirussecurity[.]com
premiumlivescanner[.]com
premiumlivevirusscan[.]com
premiumlivevirusscanner[.]com
premiumonlinescanner[.]com
premiumonlinespywarescan[.]com
premuim-live-scan[.]com
privacycontrol[.]com
pro-anti-virus-scan[.]com
pro-antivirusscanner[.]com
pro-scan-online[.]com
pro4scan[.]com
proantivirusprotection[.]com
proantivirusscan[.]com
proantivirusscanner[.]com
professionalvirusscan[.]com
professionalvirusscanner[.]com
protectedprivacyupdate[.]com
protection-livescan[.]com
protectionfastscanner[.]com
protectonantivirusscan[.]com
rapidantispywarescanner[.]com
rapidantiviruspcscanner[.]com
scan-on-line.av-2009[.]com
scan-on-line.av-2009[.]info
scan4live[.]com
scan4new[.]com
scaneasy4[.]com
scanlabsonline[.]com
scanner.rapid-antivirus-2009[.]com
secured-anti-virus-scan[.]com
secured-antivirus-scan[.]com
secured-download[.]com
secured-live-scan[.]com
secureddownloadserver[.]com
securedupdatedownloads[.]com
securedupdatesoftware[.]com
securityonlinecomputer[.]com
soft4youupdat[.]org
stabilityinternetscan[.]com
technoevent[.]com
total-antivirus-scan[.]com
updatepcsecuritycenter[.]com
virusandspywarescan[.]com
virusandspywarescaning[.]com
websecurityexamine[.]com
world-2009-antivirus[.]com

Leave a Reply