The keyword “antispyware” has around 2000,000 monthly searches in Google search engine and it’s obvious why nowadays when the security related websites are abundant with news about new computer trojans, new dangerous creations which have in fact a unique objective: not to delete Windows installation, not to take over the mouse and keyboard but to spy silently and unnoticed on the victim’s computers or networks, posing a huge risk for all non public data.
If we search in Google for keyword “antispyware” the results are depending slightly on the searching preferences as locations and languages but always contains on the first page of results a link to http://www.antispyware.com . It’s somehow normal since this domain name and website title AntiSpyware for Windows seems to be strongly dedicated to an antispyware program. The common sense says that the website associated with this domain name is surely the most legitimate one in the world, the default one for a real anti-spyware program and the website look is very convincing also:
The surprises start to appear when we search for this website reputation which is very poor as you can see here in the mywot.com score card:
Of course mywot.com system is far from being a very accurate rating system but it triggers an alarm, especially because two reputed anti-malware experts as Malware Domain List and hpHosts left those comments about Antispyware 2011 being a rogue security software, a fake anti-spyware program.
All these facts pushed me to a further investigation and so first I’ve downloaded the supposed anti-spyware program named simply “Antispyware 2011″ and I submitted it to a multi-engines antivirus online service, http://virusscan.jotti.org/en resulting this:
More than half of antivirus programs list Antispyware 2011 as a malicious application. Pushing further the tests, I put in the system 32 directory three well-known computer trojans(a Poison Ivy server, a Bifrost server and a Bifrost builder) in their unencrypted form, simulating a computer infection. I need to mention that these computer trojans are detected by absolutely all legitimate antivirus programs.
After installing the Antispyware 2011 program in a sandboxed environment and scanned the computer with it, the results reveal that it fails to detect any of these computer trojans, it founds in system 32 directory only a file without importance; it is the proof that it is indeed a fake anti-spyware :
The analysis in Sandboxie with Buster Sandbox Analyzer(BSA) add-on reveals a dubious behaviour; for example the Antispyware 2011 rogue program drops files and hides them from the user in the directories:
From the Buster Sandbox Analyzer report:
[ Network services ]
* Looks for an Internet connection.
* Connects to “spywaredb3.2squared.com” on port 80.
* Connects to “22.214.171.124″ on port 80.
* Opens next URLs:
A license for the rogue program Antispyware 2011 costs $34.95 on its official website, http://www.antispyware.com . It is too expensive for a malware; you can get infected if you want and even free of charge, just by opening unsolicited email attachments or by downloading warez from untrusted sources. No need to pay for malware, them are all around.
The www.antispyware.com domain owner identity benefits of Moniker Privacy services so it is unknown. What makes him to destroy the reputation of this wonderful domain name putting it in the evil’s service, choosing the wrong way to make business, nobody knows.
Keep safe !