The Latest in IT Security

Advanced System Protection? Not!

29
Jul
2013

Last week, I was taking a look at some traffic when an interesting domain name jumped out at me. (Well, it didn't literally jump out at me, of course. I'd probably describe its behavior more along the lines of "a needle trying to hide behind a bunch of hay"…)

The domain was advancedprotector.com, and since I reflexively don't trust protection-themed domain names (after years of chasing "Fake Antivirus" malware), I went to take a look:

screenshot of shady antivirus site

And, if you scroll down a bit, you can see the impressive list of awards it's won. (Of course.)

part 2 of screenshot of shady site

Wow! Over 100 5-star awards!!!!

Man, I didn't even know there were 100 organizations in the world that gave out awards to software! These guys must be awesome indeed! Except…

– This domain was registered just a month ago. (How did they win all of those awards in just a month???)

– The registrar was bizcn.com — a Chinese registrar. (Interesting, since they don't have a Chinese page anywhere on their site.)

– The registration data is, of course, anonymous. (Surprise, surprise — and through a Chinese anonymization service, as a bonus!)

– It's more of a "page" than a "site" — I could only find one other page on this domain. (More on that later…)

– The nice-looking "Microsoft Partner" link at the top leads to page on a Microsoft site, describing a software company in India. Unfortunately, "Advanced System Protector" is not one of the products this company lists.

– Most tellingly, the site stubbornly refused to let me try its download, no matter how much I coaxed.

What else? How about one of the "award" links, which led to the following gem:

screenshot of non-free

That's right, it's "free", but it will cost you $29.95 to buy it, since there's no free download link anywhere, only the link to the shopping cart, where it sure ain't free. (Maybe that's because the "Advertisement" they're showing with it isn't likely to be bringing them much extra income…)

Also, I mentioned that I did find one other page on the site; here it is. Look closely at the link displayed at the bottom of the page as I hovered the mouse:

screenshot showing misleading referring site

That's right, the "Referer" site isn't even correct: instead of advancedprotector.com it's for a different site: www.easyprotectionpro.com

 

So far, these are all clues that any suitably paranoid person could discover with a minute or two of "background checking". What does WebPulse know?

Well, for starters, we know that www.easyprotectionpro.com is rated as Malware. (We can also go back and check the logs, and find out that, guess what, www.easyprotectionpro.com was on the same IP address (173.212.250.3) back in June, when it was doubtless showing off the "100 5-star awards" it had won…

More damning is to look at the traffic logs to see what kind of company advancedprotector.com keeps. Pulling 24 hours of traffic from a day last week, and looking at the sites advancedprotector.com was sending visitors to, showed that 93% of the time it was attempting to send visitors victims to sites that we have rated as Malware.

 

Need more proof? WebPulse has even more advanced tricks up its sleeve, that let me expand the search to some sibling sites elsewhere in the Bad Guy network, where this little gem was hiding, on a page titled "Viruses were found on your computer!":

standard Fake-AV graphic found on a sibling site

(Hey, Bad Guys! You misspelled "might"!)

 

Finally, I should also warn the Mac users out there that this "extended version" of the network included a site targeting the Safari browser.

So, yeah, this is evil.

–C.L.

@bc_malware_guy

Leave a reply


Categories

SUNDAY, DECEMBER 17, 2017

Featured

Archives

Latest Comments

Social Networks