Thursday, August 27, 2009

How To Spot a Phony (anti-malware vendor)

What's this world coming to?

There are so many sites that pop up every day peddling what appears to be AM (anti-malware) software for your PC that it's hard to keep them straight. The sad fact is that the vast majority of them are actually malware themselves. How do you know which ones are safe, and which ones are just going to infect your computer with nastiness?

I found one such site today which, after lots of investigation I concluded is a "scare-ware" site... Scare-ware is useless software that effectively lies to you and tries to scare you into buying it to remove some monumental threats which most often aren't real. It's a fascinating business model that generates real money in the tens of thousands to hundreds of thousands (or possibly even millions) of dollars.

That being said, these people want to lure you in, and get you to give them money - so I'm going to walk you through some steps to determine if a site you've stumbled across, or been directed to, is real... or phony.

I'm working with a real scare-ware site called "AntiSpyware.com". You can either follow along or insert a site that you want to investigate yourself...

First off, you're going to want to investigate who owns the domain. While AntiSpyware.com looks very official, let's see who owns this domain. Network Solutions (www.networksolutions.com) has a landing page wherein you can type in a domain and it will retrieve the "whois" information.

Straight off I would focus your attention on the redirection to who.godaddy.com, which means that you'll have to go elsewhere for the "real" answer.

Pasting that into a browser, it becomes even more clear that this site is dodgy. Most sites that are legitimate will easily identify the owning company, contacts and such. Look up any legitimate company, or your own employer, and you'll see what I mean.


Now, let's look at the GoDaddy.com record for AntiSpyware.com. Do any alarms go off in your head?
You'll notice someone went to some pretty great lengths to mask the ownership of the domain. In fact, the site DomainsByProxy.com has an entire business model centered around this type of priavcy, allowing you to register domains through them, without having to provide your personal details on the registrant's site. That's brilliant... brilliantly evil that is.

A quick scan of the DomainsByProxy landing page immediately reveals that they have a legitimate purpose - that is to protect people's personal information from being put up on the Whois registry - which is being abused here to mask and hide obvious criminal activity.

So far we know that the site doesn't appear to be owned by any "honest" company - as far as I know when I check out TrendMicro, Kaspersky, or even Symantec their Whois records are all public - go look for yourself or follow the links.


Now, so far we've been able to determine the site is shady simply by investigating its reputation based on Whois record. This by no means should be your only step to determine the legitimacy of a site or its content... but it's a great start.

Armed with this information let's look at site linking, meaning, how well-linked is this site and where do links to this site come from? Often who links to a site is a wonderful indicator to what the site contains.

I've been using WhoLinksToMe.com for a while to determine site legitimacy, because they have a wonderful output even for the anonymous user. Check out the results for AntiSpyware.com...

What immediately attracted my attention is that the site has a very poor PageRank for a "legitimate business"... I mean, this blog you're reading on some days has a higher PR than that! A PR of 4 means that the site isn't very well linked from other legitimate sites, and that the content has not been well-received by the Googleplex :)

Look at the keywords too... the number one search term is "all in one keylogger key" ... how interesting. You'll also find that the key search terms for this site (after some digging) are ones like "antispyware, free, windows spyware remover..." Bells should be going off right about now. Now look at the BackLinks... that's where links to this site are posted on...

I recommend going to Google and simply typing "link: InsertYourDomain.tld"... here are some examples for AntiSpyware.com:
  • DNForum.com where someone claims that AntiSpyware.com was sold for 550,000EUR (link)
  • StatBrain.com link which gives you some idea of how much traffic is generated here, and why someone might pay 550,000EUR for the domain (link)
  • A link to an interesting "review" of the site/product (link)
By now you're getting the picture... Next on the list is to throw the site against "McAfee SiteAdvisor" which, as you will see, does NOT like AntiSpyware.com :) By the way, I think this is the one and only time I've ever, or will ever, plug a McAfee tool...

When all else has been checked, and you're still not sure... look at the site. Does it look "too good to be true"? If so it probably is! Additionally, look at the link structure for the site... does it try and suck you in? Are all the links pointing to "BUY THIS NOW"?

If you're still thinking that the site has a legitimate (free) product... then download it and bounce it off of a site like VirusTotal.com --> setup.exe analysis

This one, boys and girls... is obviously evil! I hope you've learned something, and can take this back and apply it the next time you see a sketchy site trying to sell you a fix for a malware problem you may not have.

Be safe!

Useful Links:

5 comments:

Alec Waters said...

Hi Raf,

There's a great list of fakes here:

http://ddanchev.blogspot.com/2009/07/diverse-portfolio-of-fake-security_27.html

alec

Erik said...

Dude. Yes it's true that AntiSpyware is a total sham and you are doing a good service pointing it out but two of the reasons you give should be taken with a grain of salt, can I offer my perspective without upsetting you like last time?

Great, here you go:

1) A pagerank of 4 is not all that bad actually, and tons of legit sites have low pagerank. I don't think you meant to suggest to people that PageRank was an indication of site legitimacy. BTW your pagerank is 4, congrats! Why don't you share some of that with me, thanks ;)
2) the whois data is obfuscated using a pretty common thing now a days called private registration. All the domain name companies offer it. It proves nothing but you are right, a real company should not use private registration, this is generally reserved for personal web sites who don't want to give out their home address.

The rest is good stuff, VirusTotal is an amazing site and anyone worried about something they downloaded should pump it through VirusTotal to give it a quick check. Thanks for the tip on wholinkstome as well, going to have to check that out.

Raf said...

@Alec - thanks for the link! I'm sure folks will find that useful...

@Erik - great points. I do think that PR is important especially when you consider back-links and link-outs on a site... but then... that site looks so... "inviting" and Web 2.1'ish!

PS... I'll link you but it'll cost ya :)

ekse said...

quick correction, the google search keyword is link: instead of links: . And thanks for the WhoLinksToMe.com link, I didn't know this website and it might be handy.

Erik said...

@Raf, btw, I should have checked blogger's default behavior on outbound links. Their links are totally worthless from a search engine rank perspective as they used the dreaded "nofollow" attribute. Whine. ;) I would recommend you read up on the negative effect nofollow has on encouraging people to comment: http://isaacyassar.blogspot.com/2009/02/how-to-remove-blogger-nofollow.html it has tips on how to fix it although there is some debate if blogger is forcing it in no matter what you do, so YMMV.

Google+