FakeAV is never really far when you want to find it. Browsing a couple of dubious links was enough to trigger a ‘you are infected’ page. This one is pretending to be from Microsoft Security Essentials:
The file that gets downloaded weighs a heavy (as far as malware goes) 4.58 Mb and comes from:03.85da0f71.com
VirusTotal report here shows an abysmal detection rate (5/43). The installer is only served if you are referred to the site by a specific domain and the backend server logs your IP address so that you can only request the file 5 times, after which the resource is magically no longer there.
If you would like to analyze this file, you can download a copy here. (The password is infected0726).
When you install the program, you will see something called Security Solution 2011 claiming there are several hundred threats on your PC:
To remove them, you must purchase the software… and it’s not cheap:
And to convince you to buy now, your system will display occasional pop ups such as this one:
Let’s check who is behind this. There are several domains involved in pushing ‘Security Solution 2011′:
Backup server: 18.104.22.168 Estonia
Backup server: 22.214.171.124 Estonia
On 126.96.36.199 is also shopsmartsoft.com the payment processor and ‘support’ site:
Here is a link to a transaction involving the sale of the fake AV:
The support page boasts it has 24/7 assistance:
And yet its email address does not work:
So much for an award wining billing company…
Leave a reply