Missing Letter Links Fake AV With Extreme Porn

Today, Microsoft’s Security Intelligence Report is out, and it’s no surprise that it’s littered with fake AV/security product threats–four out of the top five threats in the United States, no less. Let me show you that with a keen eye and our threat intelligence databases, the same group are responsible for a diverse set of criminal activity online, all at the same time.

I’m a little pedantic about the Queen’s English from time to time, and like most people I also make mistakes. However, this little spelling error caught my eye and a quick Google proves it’s gone unnoticed by the owners for quite a while, too.

I was doing a little research into some DSL IPs being abused at the moment and spotted the misspelling acess in this broken English phrase taken from the terms of service of a fake AV website:

“If acess services is unavailable during the subscription period, the member has the right for a refund of subscription fee.”

Google-dorking it with quotes so we get the exact phrase [link] reveals 141 sites that Google knows of. Misspelling access is hardly a crime, but copying the whole phrase is a little odd, isn’t it?

Take a look at the terms and conditions page of advanced-virus-remover2009 .com. (Visiting this site is bad for your health.)

And also the customer service page of this extreme porn site (incest-related domain redacted for obvious reasons):

These are sites that announce new content frequently, but the 18 U.S.C. 2257 record-keeping statements say that the content is ineligible–as it was created prior to July 3, 1995. Aand they don’t ask for your date of birth when you sign up, either. (The signs are always there!)

…and one of the promotional affiliate networks for a network of porn sites:

…and the world-renowned Data Backuper software from databackuper .com

These are old sites, so let’s be realistic here: It’s just a template. The bad guys are just lazy (or efficient, depending on your point of view) when it comes to their websites. As proof, if more were needed, advanced-virus-remover-2010 .com registered a day or two ago and is exactly the same.

(Old techniques die hard, eh? )

The same group(s) are undoubtedly connected with the recent tsunami spam that’s spreading more fake-alert malware–given the domain overlap below with this detailed VIL’s hosts-file infection data: http://vil.nai.com/vil/content/v_162829.htm

Lastly let’s take a look at their most recent flurry of fake-AV/codec/crypto&porn domains.
(Again, don’t visit; just read.)

0-vs-codec-pro .com
10-open-davinci .com
1-open-davinci .com
1-vs-codec-pro .com
2-open-davinci .com
2-vs-codec-pro .com
3-open-davinci .com
3-vs-codec-pro .com
5-open-davinci .com
6-open-davinci .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover-2009 .com
advanced-virusremover2009 .com
advancedvirus-remover-2009 .com
advancedvirus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2010 .com
anti-virus-xp-pro2009 .com
bastaproject .com
best-scan .com
best-scan .net
best-scan-pc .com
best-scanpc .com
best-scan-pc .net
best-scanpc .net
best-scan-pc .org
best-scanpc .org
bestvsprog .net
coolcodec .net
coolcount1 .com
coolprojectnew .com
downloadavr3 .com
downloadavr4 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
greatcrypt .com
hard-xxx-tube .com
maindavinchi .com
mainvscodec .net
megacryptnew .com
onlinescanxppro .com
open-davinci .net
rims-shop .com
testavrdown .com
testavrdownnew .com
trucount3005 .com
trucountme .com
vscodec-pro .net
vsproject .net
xxx-white-tube .net
xxx-white-tube .org

Quite a diverse set, eh? The pornographic content is managed somewhat separately, and I really don’t want to make extra work for our legal team with this one!

I doubt that’s all we’ll see this week. Passive DNS monitoring also shows that many of these are unused so far.

There will be more on this one, I’m sure.