Last week, I was taking a look at some traffic when an interesting domain name jumped out at me. (Well, it didn't literally jump out at me, of course. I'd probably describe its behavior more along the lines of "a needle trying to hide behind a bunch of hay"…)
The domain was advancedprotector.com, and since I reflexively don't trust protection-themed domain names (after years of chasing "Fake Antivirus" malware), I went to take a look:
And, if you scroll down a bit, you can see the impressive list of awards it's won. (Of course.)
Wow! Over 100 5-star awards!!!!
Man, I didn't even know there were 100 organizations in the world that gave out awards to software! These guys must be awesome indeed! Except…
– This domain was registered just a month ago. (How did they win all of those awards in just a month???)
– The registrar was bizcn.com — a Chinese registrar. (Interesting, since they don't have a Chinese page anywhere on their site.)
– The registration data is, of course, anonymous. (Surprise, surprise — and through a Chinese anonymization service, as a bonus!)
– It's more of a "page" than a "site" — I could only find one other page on this domain. (More on that later…)
– The nice-looking "Microsoft Partner" link at the top leads to page on a Microsoft site, describing a software company in India. Unfortunately, "Advanced System Protector" is not one of the products this company lists.
– Most tellingly, the site stubbornly refused to let me try its download, no matter how much I coaxed.
What else? How about one of the "award" links, which led to the following gem:
That's right, it's "free", but it will cost you $29.95 to buy it, since there's no free download link anywhere, only the link to the shopping cart, where it sure ain't free. (Maybe that's because the "Advertisement" they're showing with it isn't likely to be bringing them much extra income…)
Also, I mentioned that I did find one other page on the site; here it is. Look closely at the link displayed at the bottom of the page as I hovered the mouse:
That's right, the "Referer" site isn't even correct: instead of advancedprotector.com it's for a different site: www.easyprotectionpro.com…
So far, these are all clues that any suitably paranoid person could discover with a minute or two of "background checking". What does WebPulse know?
Well, for starters, we know that www.easyprotectionpro.com is rated as Malware. (We can also go back and check the logs, and find out that, guess what, www.easyprotectionpro.com was on the same IP address (173.212.250.3) back in June, when it was doubtless showing off the "100 5-star awards" it had won…
More damning is to look at the traffic logs to see what kind of company advancedprotector.com keeps. Pulling 24 hours of traffic from a day last week, and looking at the sites advancedprotector.com was sending visitors to, showed that 93% of the time it was attempting to send visitors victims to sites that we have rated as Malware.
Need more proof? WebPulse has even more advanced tricks up its sleeve, that let me expand the search to some sibling sites elsewhere in the Bad Guy network, where this little gem was hiding, on a page titled "Viruses were found on your computer!":
(Hey, Bad Guys! You misspelled "might"!)
Finally, I should also warn the Mac users out there that this "extended version" of the network included a site targeting the Safari browser.
So, yeah, this is evil.
–C.L.
@bc_malware_guy
Leave a reply
