Since the release of the first antivirus products many people have believed in a
where antivirus companies generate their own market by paying virus writers to develop and release viruses. I don’t subscribe to that theory and trust the major security vendors, but recent trends show that there’s a fuzzy line between second-tier antispyware vendors and the malware they clean.
The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word “advertisement” sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page. Here’s an example I ran across recently on a popular web site:
A click on the image took me to a page at www.myspwarecleaner.com . The page looks like an Internet Explorer error message, again probably to mislead unsophisticated surfers into following its directions, and it guides visitors to download and install an antispyware utility called Spyware Cleaner:
Even on a freshly installed copy of Windows XP, Spyware Cleaner reports close to a dozen “extreme risk” and “high risk” infections that include innocuous items like cookies left by MSN.com and several built-in Windows COM components, including RDSHost.exe, the Remote Desktop Service control, and Shdocvw.dll, a Windows shell COM object, both of which Spyware Cleaner identifies as spyware. It also lists each COM component twice, reporting their presence in HKLM\Software\Classes as well as HKCR, which for those objects is a symbolic link to HKLM\Software\Classes.
Of course, to remove the “infections” a user has to pay to register the software. Who makes Spyware Cleaner? You won’t find out on the Myspywarecleaner web site, which consists of only a handful of pages like the download page, a FAQ page, and one for affiliates. A Whois lookup of the domain name shows that it belongs to Gary Preston of Secure Computer LLC. The only reference I found on the web to the owner or his company was a thread at CastleCops from June of 2004 that complains of one of their tools falsely identifying systems as being infected with the Sasser worm.
A few days later I ran into the same banner on another site, one for Windows systems administrators that would be embarrassed if revealed, and clicked again. This time I was taken to www.spywarestormer.com . I downloaded their spyware cleaner, ran it on a the same clean Windows XP install, and it reported 7 different "infections":
Once again, the infections were false positives. One group was the Registry keys associated with Windows Internet Configuration Wizard, which Spyware Stormer reported as the "Surfairy" spyware package, and the other related to COM objects involved with the per-user configuration of Explorer that the tool labelled as "WinAD" adware. The Whois report for spywarestorm.com lists it has beeing registred by Domains by Proxy, Inc. through GoDaddy.com, so whoever is behind Spyware Stormer apparently wants to remain anonymous.
The user interfaces of both these antispyware tools look the same, but with different skins and icons, which leads me to believe that Myspywarecleaner and Spyware Storm are licensing core "antispyware" technology from someone else. It looks like the unscrupulous antispyware vendors are part of a ring.
Unfortunately, sleazy antispyware vendors aren’t just stopping with misleading banners and false infection reports. Either they, or partners that have a vested interest in sales of their products, are actually infecting machines so that users are essentially blackmailed into purchasing.
The most trafficked threads on the Sysinternals forums are ones related to an infection dubbed “Spyaxe.” It gets its name because it continuously pops up tray balloons informing users that their systems are infected. Clicking on a balloon opens the Spyaxe web site . Spyaxe of course denies any connection with the underhanded advertising, but it’s hard to believe someone would promote Spyaxe this way without some financial incentive.
SpySheriff is another antispyware vendor promoted in the same way as Spyaxe . About a week ago someone sent me a link to a web page, that if visited using a version of Internet Explorer that hasn’t been patched with December’s security updates, slams the system with deluge of malware (several sites download the same malware package using the recently discovered WMF vulnerability ). After the infection is complete, which is so extensive it takes close to five minutes, a system is loaded with 8 viruses, 8 spyware packages and 7 adware products. Subsequent to the installation, Internet browsing is made virtually impossible by the constant popups and popovers and processes are constantly connecting to remote SMTP servers and web pages.
You can watch the initial infection process in (the movie is only about three minutes long because I’ve deleted sequences with no visible change).
Here’s a chronology of events:
0:00 The malware has started to download through a script visible in the script prompt dialog.
0:05 The first evidence of the infection appears as a grammatically-challenged tray icon and balloon announcing that Windows has detected that the computer is infected:
0:10 Internet Explorer crashes and exits, leaving visible the changed desktop background that also announces that the system is infected.
0:20 More evidence of infection shows up as items on the left side of the desktop.
0:30 I open Process Explorer, which is paused, perform a refresh and new processes show up in green. I navigate the mouse over the image names to reveal their image paths, most of which are under the \Windows directory. Later I refresh the display and the result is this:
Note that the malicious executables have some or all of the characteristics I described as common to malware in my Understanding and Fighting Malware TechEd presentation : they have no company name, description, are packed (shown as a purple highlight), and reside under the \Windows directory.
0:55 I highlight the fact that one of the malware processes, Paytime.exe, identifies itself as Explorer from Microsoft Corporation.
1:00 After unpausing Process Explorer purple highlighting appears on most of the malware processes.
1:10 I open the process properties for Paytime and click the Verify button to check it for a digital signature. Unlike most Microsoft images, it doesn’t have one:
1:20 The appearance and disappearance of new processes shows that the infection is still underway.
1:30 I open Autoruns and perform a scan with the Verify Signatures and Hide Signed Microsoft Entries options checked, which reveals a dozen different malware autostart items:
2:00 A click on the tray icon causes the installation of SpySheriff. It shows up as shortcut on the desktop and the CPU usage goes to 100% as it starts scanning the system in the background.
2:05 I double-click on the SpySheriff tray icon and its control panel opens.
2:10 SpySheriff begins to identify some of the many spyware and adware infections:
2:20 A Windows shutdown dialog box briefly appears and then disappears, followed by a crash and restart of Explorer.
2:30 Explorer processes its autostart entries during its re-launch, which direct it to execute one of the malware programs. A Windows security warning appears because the image has an Internet Zone alternate data stream attached to it that associates it with the Internet, an untrusted zone.
2:40 I click on the “Remove found threats” button and discover that I have to purchase the product:
Not surprisingly, the SpySheriff website reveals little about the company behind it. A Whois of the domain points to Popandopulos Ltd in Greece as the owner, but the associated email address is email@example.com, which is a Russia-based domain. List.ru appears to be an ISP from its Whois information, so it’s doubtful that the Spysheriff domain registration is accurate.
Is the connection between the infestation and SpySheriff one simply created by a SpySheriff fan or is this evidence of an antispyware conspiracy? It’s hard to believe the former, and if it’s the latter then companies like Secure Computer LLC, which registered the myspywarecleaner.com domain in 2004, and Popandopulus Ltd, which registered spysheriff.com in May 2005, have been in business long enough to show that their business model is working – and that’s far too long. I know that at least one state Attorney General’s office is investigating the Spyaxe case and I hope that this blog post spurs more action. Misleading and outright malicious advertising for antispyware casts a shadow on the entire industry.