One of our project teams has a beta that they'd like to advertise.
"How many photos do you have on your computer? Documents? E-mail messages, letters, and receipts of your online purchases? What happens to your files if — when — your hard drive fails?"
We currently have an active beta piloting program for F-Secure Online Backup 1.1 and would like you to try it out. However, act quickly — as we have only a limited number of beta licenses to give. For more information and to join this project, please click here.
Update: Due to an overwhelming interest, all of the beta licenses reserved for this project have been taken. Thank you to those interested in participating.
The site powerfulvirusremover2008 .com is reported to have been using dodgy practices in order to push their product, and really, what's new? Yet another rogue antispyware on the loose.
Funny thing is though, it even has specific websites for different countries, so that they can cater to specific audiences. Here are some of the sites that they host for different countries:
jp.powerfulvirusremover2008 .com
Other versions include de, dk, es, fr, it, no, nl, and no.
And what's the difference for each? Oh, just the way they say "If you aren't redirected automatically, please click here" and the language of the webpage that strongbilling .com (the third party site it uses to process payments) uses on its page when the user wants to purchase the program. It gives the user a certain comfort level and the illusion that he actually understands what he is buying.
OK, so let's say the user (by some stroke of luckless chance, or courtesy of a trojan downloader) ends up with the demo installer of Rogue:W32/VirusRemover2008.C on their hands and it runs…
Enter the End User License Agreement (EULA). Who really reads the EULA nowadays? All we do is click, click, click, then done! Then we wonder why our computers are sputtering malware every day. And if we complain, the product pushers will just say, "You've been warned." But where? "In paragraph 100 of the EULA."
But really, the EULA actually does contain some of the indecencies that they do to your system. They have some nerve putting it there:
Exhibit A:
What kind of products? You mean my valid AV?
Exhibit B:
Lack of viruses? Oh, right. You mean those malware your product told me existed in my system — but actually don't?
Whoa! People should really start reading some of these stuff. It's pretty scary what they put there.
OK, say that, through the universal law of click-click-click, you skipped the EULA and happily installed the rogue antispyware… since it's the usual senseless stuff really… it'll do this:
1. Scans your system:
2. Tells you you have an infection:
And of course it comes with a link to buy the stuff, yada-yada.
Don't bother checking the files listed, they don't exist in your system. And you know where they exist? In a text file that they dropped into the system. A very readable text file!
Wing Fei, from our Kuala Lumpur Lab, placed the order and ended up giving away a bunch of stickers at Hack In The Box Security Conference 2008 — Malaysia.
Last week, Wing Fei was in Helsinki for our pikkujoulu and we now have our own stack of stickers here in the Helsinki Lab. So now it is time to start giving some away to weblog readers.
Here are the handles of those that provided the selections used, and a few of the top poll choices.
Requests for postal addresses will be sent this week, watch for it. We will also pick several random names from the 100 or so others that made submissions. Cheers!
Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck.
As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other.
Then there are some "rogues" that are just kind of sad… we're tempted to call them lame-ware rather than scareware.
Last week, someone calling himself "Mirando" submitted this to our moderated comment system:
What are the odds that such a comment, promoting a dubious application, will be approved by us? Not likely.
This is how the search-and-destroy .com site appears:
The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name.
This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application.
We downloaded and tested the Search-and-Destroy Antispyware application.
First it prompted a warning that there were zero risks.
Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version.
Within the "malicious threats" that were discovered, were invalid shortcuts.
True, the links were invalid, but that's hardly a threat.
So we uninstalled the application, and it left behind a registry key:
Typical. The scan warned us about invalid shortcuts, and then leaves behind an invalid registry key.
Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program.
We hope that he'll consider quiting while he's ahead, and doesn't move on to the hard-rogues.
