Rogue

Fright Fight: Washington Attorney General leading battle against scareware with Microsoft
SEATTLE – Attorney General Rob McKenna stood at the frontlines with Microsoft Corp. in the war against spyware in 2006. Now armed with tougher legislation, the state’s top law enforcement officer, with the world’s largest software company, is charging forward with new lawsuits targeting scareware purveyors.

“The Attorney General’s Office along with Microsoft has yanked the fear factor dial out of the hands of businesses that use scareware as a marketing tool and have spun it toward them,” McKenna said.

“We won’t tolerate the use of alarmist warnings or deceptive ‘free scans’ to trick consumers into buying software to fix a problem that doesn’t even exist,” McKenna continued. “We’ve repeatedly proven that Internet companies that prey on consumers’ anxieties are within our reach.”

The Attorney General’s Office along with Microsoft announced the filing of new cases under Washington’s recently improved Computer Spyware Act during a joint press conference today in Seattle.

“Microsoft is honored to assist Washington Attorney General McKenna in helping to protect consumers from online threats,” said Richard Boscovich, Senior Attorney for Microsoft’s Internet Safety Enforcement Team. “Cybercrime continues to evolve, but with public/private collaboration such as this, we can work to champion tougher laws, greater public awareness and, ultimately, stronger protections for online consumers.”

In 2005, Washington became one of the first states to adopt a law explicitly prohibiting spyware activities and imposing serious penalties on violators. The statute doesn’t stop at outlawing programs that collect personal information, but uses a broader definition of “spyware” and punishes those who mislead users into believing software is necessary for security. The law was updated last session to create additional liability for third-parties that permit the transmission of spyware and to address new types of deceptive behaviors, such as misrepresenting the need for computer repairs.

As of today, the Attorney General’s Office has filed seven suits under the statute.

The Attorney General’s Office filed its latest case today in King County Superior Court against the marketers of a program called Registry Cleaner XP. The civil suit brings five causes of action against James Reed McCreary IV, of The Woodlands, Texas, and two businesses: Branch Software, of The Woodlands, Texas, doing business as Registry Cleaner XP, and Alpha Red, Inc., of Houston, Texas. McCreary is the sole director of Branch Software and CEO of Alpha Red.

McKenna said Microsoft referred the case to the Attorney General’s Consumer Protection High-Tech Unit and has been helpful in assisting the office with enforcement issues.

According to the state’s complaint, the defendants sent incessant pop-ups resembling system warnings to consumers’ personal computers. The messages read “CRITICAL ERROR MESSAGE! – REGISTRY DAMAGED AND CORRUPTED,” and instructed users to visit a Web site to download Registry Cleaner XP.

Computers capable of receiving Windows Messenger Service pop-ups, also known as Net Send messages, were vulnerable to the attacks. Windows Messenger Service, not to be confused with the instant-messaging program Windows Live Messenger, is primarily designed for use on a network and allows administrators to send notices to users.

“Consumers who visited the Web site were offered a free scan to check their computer – but the program found ‘critical’ errors every time,” said Senior Counsel Paula Selis, who leads the Attorney General’s Consumer Protection High-Tech Unit. “Users were then told to pay $39.95 to repair these dubious problems.”

The filings today bring the number of civil spyware actions brought by Microsoft since the Computer Spyware Act was first enacted in 2005 to 17. In 2006, Microsoft and the Attorney General each brought lawsuits against the same group of defendants under the Washington Computer Spyware Act, obtaining permanent injunctions and settlements. Additionally, Microsoft has routinely worked with the FTC and other state and federal law enforcement agencies in the battle against spyware.

Spyware has arguably become the biggest online threat to consumers and businesses since the advent of the Internet. Microsoft has said that 50 percent of its customer-support calls related to computer crashes can be blamed on spyware.

Complaint

Registry Cleaner XP demo

- 30 –

Media Contacts:
Janelle Guthrie, APR, Communications Director, Office of the Attorney General, 360-586-0725 or janelleg@atg.wa.gov
Dan Sytman, Media Relations, Office of the Attorney General, 360-586-7842 or dans@atg.wa.gov

Editor’s Note: The Attorney General’s Office has also brought enforcement actions against companies that market products named Registry Cleaner, Registry Cleaner Pro, Registry Cleaner 32 and related names. Those cases are unrelated and involve different defendants.

Press release

Update
Microsoft also filed five “John Does” lawsuits. Nameless defendents until discovery reveals the identities of the individuals responsible for marketing the scareware, aka ‘rogues’.
The actual products are well known in the security community and forums that help victims of malware infections.

Antivirus 2009
Malwarecore
WinDefender
WinSpywareProtect
XPDefender

The lawsuits were filed under Washington’s Computer Spyware Act.
Microsoft also amended two complaints filed earlier to unmask those running SMP Soft LLC, a Delaware corporation that markets a scareware product called Scan & Repair Utilities.

A few names should ring a bell.

Antivirus 2009
This site is currently under construction!
ICANN Registrar: 1 & 1 INTERNET AG
registrant-firstname: Oneandone
registrant-lastname: Private Registration

Malwarecore
ICANN Registrar: ESTDOMAINS, INC.
Registration Service Provided By: ESTDOMAINS INC
Status: SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

XPDefender
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration Service Provided By: VIVIDS MEDIA GMBH
Status: SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

WinDefender
ICANN Registrar: TUCOWS INC.
Registrant: Whois Anonymizer

WinSpywareProtect
ICANN Registrar: GODADDY.COM, INC.
Registrant: Domains by Proxy, Inc.

XPDefender
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration Service Provided By: VIVIDS MEDIA GMBH
Status: SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.

{ 0 comments }

Apparently it has proved difficult for Registers to prevent malware domains from registering, and swiftly cleaning up those with a history of abuse.

At least not without headlines and community outrage which has recently resulted in thousands of bad sites being closed down.

As I said before, “Does it take articles in the Washington Post before anything gets done.” If it does then something is remiss in Kansas.

Of course I am glad that stuff is now being cleaned up, less infected computers for starters.

{ 0 comments }

There are a lot of rogue (fake) security programs afflicting the Internet.

When a rogue is new often the first victims are few, (that will change swiftly enough), and security companies look for samples so they can add the rogue to their software’s detections.

Often at this early stage one will see places touting a program to remove the new rogue, even as the infecter domain is still revving up. Sometimes warez sites, well you shouldn’t be going there anyway.

{ 0 comments }

Another rogue spreading fast. If your computer has been infected please seek assistance with removal at one of the security forums, short list in right side column.

Domains on the same IP.

1. Antispyware2008b.com
2. Antivir–2008.com
3. Antivirus2008proxp.com
4. Directnameservice2008.com
5. Mediatubeforme1.com
6. Onsafepro2008.com
7. Smart-antivirus-2009-buy.com
8. Smart-antivirus-2009.com
9. Smart-antivirus-2009buy.com
10. Smart-antivirus2009-buy.com
11. Smart-antivirus2009.com
12. Smart-antivirus2009buy.com
13. Smartantivirus-2009-buy.com
14. Smartantivirus-2009.com
15. Smartantivirus-2009buy.com
16. Smartantivirus2009-buy.com
17. Smartantivirus2009.com
18. Smartantivirus2009buy.com
19. Traff-drive.com
20. Viruswebprotect2008.com

SmartAntivirus2009
Registration Service Provided By: ESTDOMAINS INC
Domain Name: SMARTANTIVIRUS2009.COM
Dates: Created 22-aug-2008 Updated 29-aug-2008 Expires 22-aug-2009

Certifiedbug:
Spamhaus Report, Cybercrime’s U.S. Hosts

Edit
Harry Waldon has a nice article Malware Close Encounters - Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.

{ 0 comments }

I was taking a look at nine4teen.com with Fiddler running.

Brief lowdown of the trail:
nine4teen.com
Host: ferlin.ifrance.com
Host: js-perso.ifrance.com
Host: web.ifrance.com
Host: ad.ieurop.net
Host: sfttraff.com
Edit:
Domain Name: SFTTRAFF.COM
Registrar: ESTDOMAINS, INC.
Dates: Created 01-sep-2008 Updated 01-sep-2008 Expires 01-sep-2009

srv1.e-statistic.com
www.Nineteen.com
Host: c39.statcounter.com
Host: scanner.msscanneronline.com

Then BAM…

Sandi blogged about her frustration with ifrance.com July 03, 2008.
Alert: recurring malvertizements at ifrance.com (and isuisse.com)

Do you ever get the feeling that people are not listening?

Yep, I do.

{ 1 comment }

hostexploit.com

It has become increasingly apparent the malware, spam, phishing and other BadWare distributors are now engaged in automated domain generation, 100’s to 1,000’s per week, which is proving a serious difficulty for major domain / IP ‘blocklist’ and ‘blacklist’ providers to simply keep up . Added to this we now have; iFrame attacks via web portals, several major international web hosts with 1,000’s of their innocent and money paying clients having hacked and infectious (to web surfers) web sites, DDos (distributed denial of service), polymorphic malware that many anti-virus / spyware / malware solutions are unable to detect, and millions of PC users being directed to rogue and fake web sites. Finally we have the rise of the Botnets, anonymously managed fast and double-flux (ever changing IP addresses) control of 1,000’s of infected zombie PCs.

We now believe the general situation on the Internet calls for an alternative and added open source approach to deal with this head on, i.e. the web hosts and Internet carriers. Every one of the IP’s, web sites or domains are hosted or carried by someone, we feel it is time to break the taboo and name, list and expose the ones that host the malware that infects us all. This approach is not to replace existing methods, but we hope it will add to the security community’s and PC user’s array of possible tools to reduce the threat.

Brian Krebs, washingtonpost.com
Report Slams U.S. Host as Major Source of Badware

“Update: Directi disclaims all allegations in the knujon / hostexploit reports as baseless and factually incorrect“

Our official response to inaccurate reports which falsely implicate the Directi Group

There have been some articles and reports recently published by Garth
Bruen at Knujon and by Jart Armin and James Mcquad at Hostexploit, that
somehow link Directi with groups that support organized internet crime.
The motives behind these reports are still unknown, but as an
organization that prides itself in setting industry benchmarks in ethics
and best practices, we are extremely shocked by these allegations. While
I applaud the efforts of volunteers such as Knujon and Hostexploit who
spend their personal time to try and combat spam, I am personally quite
saddened when the very individuals who we trust to combat fraud engage
in publicity moves without consideration for the reputation of
legitimate businesses.

Neither Knujon nor Hostexploit extended a basic courtesy of even
contacting us to verify any of the facts in their report before
publishing the same. Directi is not even remotely related to the
organizations or activities listed in those reports. The arguments
presented in these reports are either downright baseless, or based on
complete fabrication of facts.

Complete article at the Directi Corporate Blog

Directi has provided an official online response on their blog in an attempt to deny us, the press, bloggers, and other groups the freedom to report or blog on independent findings on the Internet. The Directi blog article contradicts their own statements elsewhere and distorts the facts of the matter. Below we provide our responses and further clarification including third party verification.

Directi – an update and response from HostExploit.com

The Register.
Anonymous domain registration nixed amid fraud complaints.
Directi strikes back

ESTDOMAINS, INC. owns an anonymous domain registration.
ICANN Registrar: ESTDOMAINS, INC.
Registration Service Provided By: ESTDOMAINS INC
Domain Name: PROTECTDETAILS.COM
IP Location: United States - California - Concord - Intercage Inc

From McAfee Alert Labs. The darksides domains

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

A good read.

Updates:
Certifiedbug: Directi

September 7, 2008

In light of recent developments, Jart Armin of HostExploit.com Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet. Here are few of the points they would like to jointly make -

HostExploit

{ 0 comments }

Microsoft® Malware Protection Center produced this article yesterday.
Manufacturing Fear

We’ve seen some particularly nasty malware recently that has prompted me to think about how people react to scare tactics and fear appeals. The kind of malicious software I’m thinking of in particular here is generally referred to as ‘rogue security software’, and it displays false and misleading messages regarding malware infections in order to convince affected users to perform a particular recommended action, which would normally involve ‘cleaning’ their machine in a particular way.

Read on:
http://blogs.technet.com/mmpc/archive/2008/08/25/manufacturing-fear.aspx

{ 0 comments }

Well it isn’t the Brit slang for what, WOT stands for ‘Web Of Trust’.

WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT provides you an extra layer of security by warning you before you interact with a risky website. It’s easy and it’s free.

I added WOT to my browsers Firefox and IE. The rogue program ‘XPAntivirus2008′ gave this alert.

Why is Site Advisor still rating XPAntivirus2008 as a ‘Green Site?

Really I give up on them.

Edit
Video and podcast: WOT colorblind accessible version.

{ 3 comments }

Jesper M. Johansson’s eight page article at The Register is a good read.

Previous Certifiedbug:
GlobalSign revokes rogue program’s digital certificate

Adobe Flash ads launch Clipboard hijack attack by Rogues

{ 3 comments }