FakeAV is never really far when you want to find it. Browsing a couple of dubious links was enough to trigger a ‘you are infected’ page. This one is pretending to be from Microsoft Security Essentials:
The file that gets downloaded weighs a heavy (as far as malware goes) 4.58 Mb and comes from:03.85da0f71.com
VirusTotal report here shows an abysmal detection rate (5/43). The installer is only served if you are referred to the site by a specific domain and the backend server logs your IP address so that you can only request the file 5 times, after which the resource is magically no longer there.
If you would like to analyze this file, you can download a copy here. (The password is infected0726).
When you install the program, you will see something called Security Solution 2011 claiming there are several hundred threats on your PC:
To remove them, you must purchase the software… and it’s not cheap:
And to convince you to buy now, your system will display occasional pop ups such as this one:
Let’s check who is behind this. There are several domains involved in pushing ‘Security Solution 2011′:
antivirusantispyware2011.com
antivirusantispyware2011lab.com
antivirusantispyware2011ltd.com
antivirusantispyware2011now.com
antivirussystem2011pro.com
IP: 195.226.218.166
Location: Latvia
securecertifiedpaymentservice.com
securitysolution2011pc.com
IP: 85.17.109.17
Location: Netherlands
Backup server: 188.66.6.73 Estonia
securitysolution2011org.com
IP: 85.17.141.46
Location: Netherlands
Backup server: 188.66.6.72 Estonia
On 85.17.109.17 is also shopsmartsoft.com the payment processor and ‘support’ site:
Here is a link to a transaction involving the sale of the fake AV:
shopsmartsoft.com/buy/?affiliate_id=1&machine_id=1&product_domain=securecertifiedpaymentservice.com&sproduct_id=p4
The support page boasts it has 24/7 assistance:
And yet its email address does not work:
So much for an award wining billing company…
Jerome Segura
Leave a reply
