NEWS FROM THE LAB - Wednesday, October 1, 2008

John Doe is a Criminal Mastermind Posted by Sean @ 18:54 GMT

WinDefender 2008 was the subject of yesterday's post. It's a rogue security application, and part of an ever increasing consumer scam.

A search for "Really Legal Stuff" ties WinDefender 2008 to Antivirus XP 2008, another persistent and very nasty rogue.

Rogue WinDefender 2008 and Antivirus XP

Here's another *really* related rogue, Spyware Guard 2008.

Rogue SpywareGuard 2008 - Really Legal Stuff

Spyware Guard 2008's legal page makes references to Pandora Software.

There are other rogue websites that refer to Pandora Software, and claim it to be located in Dortmund, Germany with a support contact of Oleg Dvorezky. Right… sure.

Whois records list the registrant of Pandora as Trans Eurogroup S A with a physical address of Victoria, SC. Where the heck is SC? It's the Republic of Seychelles, an archipelago nation that's located in the Indian Ocean.

On sites that refer to Pandora Software, you'll also find many cross-references to Innovagest2000. The innovagest2000.com website lists their contact address as Madrid, Spain.

Innovagest2000 claims to provide simply the best entertainment online. And just what kind of entertainment do they provide?

Entertainment such as SystemDefender, yet another rogue. More scareware.

Rogue SystemDefender Scan

Oh no, 324 threats! Is it the animation that's supposed to be fun… ?

It isn't that much fun if you click on the Free Scan Now button.

Do that and you'll get a file that we detect as Trojan-Downloader.Win32.Adload.ma.

Rogue SystemDefender - Trojan-Downloader.Win32.Adload.MA

Trojan-downloaders are kind of a killjoy when it comes to entertainment.

SysCleaner's website is also one of Innovagest2000's efforts from the looks of it.

Rogue SysCleaner Scan

Huh. SysCleaner also detects 324 things to fix, just like SystemDefender does. Guess that's part of the entertainment.

Using a selection of text from SysCleaner's privacy policy page, we located another batch of rogues.

AntiMalware 2009

Rogue AntiMalware 2009

Total Eliminator

Rogue TotalEliminator - Privacy Policy



FileShredder 2008

Rogue FileShredder 2008

Andromeda AntiVirus

Rogue Andromeda AntiVirus

Real Antivirus

Rogue Real Antivirus

PC Antispy

Rogue PC Antispy

Another selection of text from these sites yields many search results that are definitely not safe for work, i.e. pornography. Really obscene stuff. Morally upright citizens of the world, these guys — not.

The company that provides this so called entertainment is urbangestdesarrollos.com. The Urbangestdesarrollos site, which also claims a contact address of Madrid, Spain, is a carbon copy of Innovagest2000. Both Urban and Innova state that credit card statements may show New Concept Business SL.

New Concept Business S.L. claims to be from Barcelona, Spain. Hmm, Spain again. Whois records list the location as Barcelona but the contact person is located in Amsterdam, ES and has a phone number starting with +1.800.

ES as in Spain? Amsterdam, Spain? With a US toll-free phone number? Right, that's probably accurate, you think?

These creeps are really anonymous.

Which brings us to this bit of news: Microsoft and Washington state are suing scareware purveyors.

And just who is the target of their lawsuit? Texas-based Branch Software and its owner James Reed McCreary. RegistryCleanerXP is the name of his scareware application. The Whois information for registrycleanerxp.com, which is still online by the way, actually seems to have legitimate contact details.

Why isn't McCreary more anonymous? It's probably because he isn't the worst of the scareware that's out there. Yeah, he's guilty of deceptive and misleading advertising, and we're happy to see something being attempted, but there's lots worse out there.

The lawsuit against McCreary could very likely devolve into a First Amendment speech case attempting to define deceptive practices, and then eventually he'll walk. Just like spam king Jeremy Jaynes, who had his spam conviction overturned a few weeks ago. Jaynes was incredibly guilty, and yet the Virginia law just wasn't good enough. Too broad.

We can always hope that Washington has better laws, and a judge that understands all of the technical details, but we aren't holding our breath while waiting for the results.

What about the worst of the purveyors? The ones behind stuff such as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender?

Brian Krebs' has the key details, as he very often does, in this Security Fix post.

In a separate action, Microsoft filed five "John Doe" lawsuits to learn the identities of individuals responsible for marketing other scareware products.

Oh, John Doe lawsuits. That will take care of the problem, no? Once we learn the identities of the individuals, we'll just have to track them down in Dortmund/Madrid/Barcelona/Victoria/Amsterdam in Germany/Spain/Seychelles… and that's just the supposed locations for the John Does involved with the WinDefender chain of apps.

The Antivirus 2009 gang… is located in an entirely different set of European countries.

We applaud the effort, but we think it's going to take a lot more than the Attorney General of Washington to fix this problem. The Internet has no borders. Perhaps the effort would be better spent to create an international agency with the enforcement power to shut down rogue sites, many of which are hosted in the US?

Here's some final screenshots for you. Do see the tiny little red asterisk above the "y" in the word "Utility"?

Rogue WinDefender 2008 - Online Scanning Utility

That's a disclaimer.

Rogue WinDefender 2008 - Disclaimer

Is the text to small for you to read?

It says Typical system scan that shows how the real WinDefender product will be scanning your computer. Advertising purposes only.

John Doe truly has no shame.