The distributors of rogueware bundle Antivirus 2010, replacing last year’s scam AntiVirus 2009, brazenly are re-using another HOSTS file modification, adding another twist to their scheme. ThreatFire currently is preventing an installer in fairly high prevalence in the community.
As documented previously, these distributors feel free to add copyrighted logos and cerifications to their web site that they have not earned. Now, they are taking it a step further, fraudulently creating reviews by well known writers and reviewers like Neil Rubenking, Robert Vamosi, Ron White and others. Not only are the phony pages making claims that Antivirus 2010 is a five star product, but that is includes an engine from Sophos, is distributed by Symantec, and many other major security vendors are involved. The claims vary from site to site.
The HOSTS file, on default Windows systems, is consulted for dns lookups prior to querying a dns sserver for name-ip address resolution. It’s like looking through your phone’s contact list before calling goog411 to find a friend’s phone number.
So the distributors of AV2010 have taken to modifying this file, to redirect users to bold claims about their product. Here is a list of current redirections from one of their installers being distributed this morning:
217.20.175.74 www.review.2009softwarereviews.com
217.20.175.74 review.2009softwarereviews.com
217.20.175.74 a1.review.zdnet.com
217.20.175.74 www.d1.reviews.cnet.com
217.20.175.74 www.reviews.toptenreviews.com
217.20.175.74 reviews.toptenreviews.com
217.20.175.74 www.reviews.download.com
217.20.175.74 reviews.download.com
217.20.175.74 www.reviews.pcadvisor.c.uk
217.20.175.74 reviews.pcadvisor.co.uk
217.20.175.74 www.reviews.pcmag.com
217.20.175.74 reviews.pcmag.com
217.20.175.74 www.reviews.pcpro.co.uk
217.20.175.74 reviews.pcpro.co.uk
217.20.175.74 www.reviews.reevoo.com
217.20.175.74 reviews.reevoo.com
217.20.175.74 www.reviews.riverstreams.co.uk
217.20.175.74 reviews.riverstreams.co.uk
217.20.175.74 www.reviews.techradar.com
217.20.175.74 reviews.techradar.com
As you can see, the list of urls that they want redirected includes a fairly exhaustive list of some of the most well-known reviewers in the industry. Do not fall for these phony pages.
To confirm that the reviews you are checking out at these sites are not redirected fraud, you can take a peek at your HOSTS file by opening c:\windows\system32\drivers\etc\HOSTS with notepad. Normally, its only contents look like the following, without the list of review sites…
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
