January 5th, 2006
New rogue is SpyAxe clone
I just learned about new supposed anti-spyware program, an identical twin to SpyAxe. SpyAxe got number one on the 2005 top ten rogue anti-spyware list. This new app is called SpywareStrike and I wouldn’t be surprised to hear that it is downloaded with spyware just like its twin SpyAxe. the SpywareStrike website is identical to the SpyAxe site except for the name. The domain registration information looks familiar, too.
Domain Name: SPYWARESTRIKE.COM
Registrant:
Keramitsu LLC
David Alan Taylor
321th Melburn Street
Seattle
Washington,98107
US
Tel. +207.9545521
Like the SpyAxe.com registration information, this looks bogus. The domain is also registered through Estdomains, which I recently found out is an ICANN accredited registrar. (Shame on ICANN.) The website shares the IP address with SpyAxe.com and is hosted by Netcathosting in the Ukraine. Netcathosting got SANS most hated IP of the year.
A new fake security site is starting to show up on anti-spyware help forums, securitycaution.com (link goes to whois information, not the site). You can see a screenshot of the website here. When I went to the page, it popped up a fake Internet Explorer warning saying I’m infected with spyware with a link to an "official Anti-Spyware website". The page says "Your private info is collected by W32.Sinnaka.A@mm", just like the other bogus security sites we’ve seen. The web page is advertising several anti-spyware programs, all on the Rogue/Suspect Anti-Spyware list.
In all the WMF exploit excitement, I didn’t get a chance to blog a great write up by Mark Russinovich, (he’s the Sysinternals programmer that broke the Sony DRM rootkit story.) Mark wrote about the Antispyware Conspiracy. Highly recommended reading. Excerpt:
The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word "advertisement" sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page.
Mark provides screenshots and detailed descriptions of the deceptive practices.
In other news, Brian Krebs at SecurityFix wrote about the two rogue anti-spyware companies sued by the FTC last year. MAXTHEATER, INC. and Trustsoft settled with the FTC. The FTC release can be found here.
Unfortunately, I don’t think the FTC can take any action against the people behind SpyAxe and similar rogues that are hosted in places like the Ukraine and have domains registered through rogue registrars like Estdomains.
