Friday, December 07, 2007

A Diverse Portfolio of Fake Security Software

The recently exposed RBN's fake security software was literally just the tip of the iceberg in this ongoing practice of distributing spyware and malware under the shadow of software that's positioned as anti-spyware and anti-malware one. The domain farm of fake security software which I'll assess in this post is worth discussing due to the size of its portfolio, how they've spread the scammy ecosystem on different networks, as well as the directory structure they take advantage of, one whose predictability makes it faily easy to efficiency obtain all the fake applications. This particular case is also a great example of the typical for a Rock Phish kit efficiency vs quality trade off, namely, all the binaries dispersed through the different domains are actually hosted on a single IP, and are identical.

Who's hosting the malware and what directory structure per campaign do they use?

It seems as ( which is hosted at Limelight Networks is used in all the domains as the central download location. The directory structure is as follows :

Therefore, if you have the directory structure would be /

Sample domains portfolio of digitally alike samples of each of these :

DNS servers further expanding the domains portfolio :

Main portfolio domain farm IPs :


Laziness on behalf of the malicious parties in this campaign, leads to better detection rate, thus, they didn't hedge the risks of having their releases detected by diversifying not just the domains portfolio, but the actual binaries themselves.