Today, Microsoft’s Security Intelligence report is out and it’s no surprise that it’s littered with FakeAV/security product threats. Four out of the top 5 threats in the US no less. Let me show you that with a keen eye and our threat intelligence databases the same group are responsible for a diverse set of criminal activity online, all at the same time.

I’m a little pedantic about the queens English from time to time, and like most people I also make mistakes, however this little spelling error caught my eye earlier and a quick google proves it’s gone un-noticed by the owners for quite a while too.

I was doing a little research into some DSL IP’s being abused at the moment and spotted this spelling error; “Acess” in the broken english phrase taken from the terms of service of a FakeAV website:

“If acess services is unavailable during the subscription period, the member has the right for a refund of subscription fee.”

Google-dorking it with quotes so we get the exact phrase [link] reveals 141 sites that google knows of. Mis spelling access is hardly a crime, but copying the whole phrase is a little odd isn’t it?

Take a look at the T&C page of advanced-virus-remover2009 .com (Visiting this site bad for your health)

And also the customer service page of the extreme porn (Incest related domain redacted for obvious reasons):

These are the sites that announce new content frequently but the 18 U.S.C. 2257 record keeping statements say that the content is ineligible as it was created prior to July 3, 1995. Oh and they don’t ask for your date of birth when you sign up either. Etc … Etc .. (The signs are always there!)

…and one of the promotional affiliate networks for a network of porn sites:

…and the world renowned “Data Backuper” software from databackuper .com

These are old sites, so lets be realistic here… It’s just a template. The bad guys are just lazy (or efficient depending on your point of view) when it comes to their websites. So as proof if more were needed advanced-virus-remover-2010 .com registered a day or two ago is exactly the same too.

( Old techniques die hard eh? )

The same group(s) are undoubtedly connected with for the recent tsunami spam spreading more Fake Alert malware given the domain overlap below with this detailed VIL’s hosts-file infection data http://vil.nai.com/vil/content/v_162829.htm

Lastly lets take a look at their most recent flurry of fakeAV/codec/crypto&porn domains:
(Again don’t visit just read)

0-vs-codec-pro .com
10-open-davinci .com
1-open-davinci .com
1-vs-codec-pro .com
2-open-davinci .com
2-vs-codec-pro .com
3-open-davinci .com
3-vs-codec-pro .com
5-open-davinci .com
6-open-davinci .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover-2009 .com
advanced-virusremover2009 .com
advancedvirus-remover-2009 .com
advancedvirus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2010 .com
anti-virus-xp-pro2009 .com
bastaproject .com
best-scan .com
best-scan .net
best-scan-pc .com
best-scanpc .com
best-scan-pc .net
best-scanpc .net
best-scan-pc .org
best-scanpc .org
bestvsprog .net
coolcodec .net
coolcount1 .com
coolprojectnew .com
downloadavr3 .com
downloadavr4 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
greatcrypt .com
hard-xxx-tube .com
maindavinchi .com
mainvscodec .net
megacryptnew .com
onlinescanxppro .com
open-davinci .net
rims-shop .com
testavrdown .com
testavrdownnew .com
trucount3005 .com
trucountme .com
vscodec-pro .net
vsproject .net
xxx-white-tube .net
xxx-white-tube .org

Quite a diverse set eh? The pornographic content is managed somewhat separately and I really don’t want to make extra work for our legal team with this one!
I doubt that’s all we’ll see this week & passive DNS monitoring also shows that many of these are unused so far.
There is more to follow on this one I’m sure.