Exposing a fake antivirus

Today somebody asked me to write a good testimonial about his software, Spyware Sterilizer. Well, the things does not work this way, I can write a good testimonial only after rigorous tests and if the software deserve it, otherwise I have a feeling of bad faith regarding my readers, or this is definitely not acceptable, furthermore is the opposite of the meaning of this site. But, I will use this article to say ” sorry”, to the “author” of this software for the next honest review. You will understand later why the word “author” is within quotation marks.

The software, Spyware Sterilizer by UnbeatableSoft, with subtitle ” Your perfect Spyware & Adware Cleaner”can be downloaded as a trial at  http:// spywaresterilizer.com where it says it’s already version 4.2. Taking into consideration all the features the program claims to have, it has a ridiculous small size of 3,37 MB, and almost the same features like an well-known antivirus :

  • Proactive protection monitoring your computer in real time
  • Home Page Hijack Protection
  • Scan Running Processes
  • Scan the Windows Registry
  • Scan Internet Cookies
  • Log scan results
  • Scheduled scans
  • Live-update
  • Scanning with different options : smart scan, full system scan, directory scan or single file scan
  • Quarantine to hold threats
  • Multilanguage support

Simply amazing to have all these features packed in only 3,37MB and as cheap as another “miracle software” Malwarebytes’ Anti-Malware, only $24.95. Can it be possible ? Why so expensive antiviruses of 40-60$ eating up hundreds of MB of hard-disk and RAM memory when this little program can perform the same tasks ?

The reality is that I don’t believe in “miraculous” programs so I installed it firstly in a sandbox  to see what the program does. The truth is I had the suspicion the software is what is called a “fake antivirus”.

The installer used is build with Inno Setup Version 5.3.8 and the main executable is written in Visual Basic 5-6 well known for producing slow-execution applications. This is suspicious from the first look, because any respectable antivirus is written in programming languages like C++ or Delphi or even contains modules written in ASM which assure a fast speed of code execution, absolutely necessary for an antivirus.

The program installed  fine and quick, and a simple interface is presented to the user :

ss_main.jpg

Doing a “Smart Scan”,  the next results appeared :

ss_complete_scan.jpg

As you see, an “un-named” trojan, though named “autorun.exe” in the %system% directory was found. I copied it to the desktop for an easier upload to virustotal.com for further analysis and also I copied to the desktop a few sample trojans I have in my computer for testing purposes. The next was a “Directory Scan” with the desktop as target to have an idea about scanning speed.

I had the unpleasant surprise to see none of the trojans was detected,  and another astonishing fact, the “un-named” trojan autorun.exe was not detected anymore. Then I made a little experiment, I renamed a simple text file with three words in it in “autorun.exe” and copied it back to the %system% directory, together with the real “autorun.exe” file this time renamed in “utorun.exe” so deleting a letter from the original name.

I was amazed to see how the software detected the text file as a trojan and deleted it, while the “original” renamed trojan remains in the %system% directory untouched and undetected. This little experiment says it all about this fake antivirus, nothing of the kind of virus signatures comparisons, nothing of the kind of analyzing files, just a fake detection of a file and only if the file exists in the %system% directory. I have an intense doubt that the “un-named” trojan was dropped in the %system% directory by the fake antivirus itself to justify its actions and a possible purchase. It’s possible that “un-named” trojan to be packed and embedded in the executable code and dropped at execution time in the %system%  folder.

Another great surprise come when I was looking to the log of API Call of the program which you remember was sandboxed, and I saw a reference to a site, http://rebrandsoftware.com/, which is offering customized software for commercial use by the subscribers. Practically, the site is offering for reselling(rebranding) the same core software, letting the subscriber to customize the interface for meeting his bussiness needs. Various software can be found on that site, a Coloring Book, WebTV, Computer Monitor/Keylogger, File Renamer and watch this, an Anti Spyware with an identical description and identical features as our analyzed software. A License described as “Private Label + Master Resell Rights / Fully Customizable” costs $419.99, pretty much if you ask me, all details can be found at : http://rebrandsoftware.com/showsoftware.asp?soft_id=21. All kind of services are included to make from reselling the same software but with a customized graphical interface a working business , even an art department for customizing the software graphic as requested by the subscriber to match the site or the logo of  the “newly” created software. A truly factory of lies if you ask me because as far as I tested the fake antivirus is not for any good, it masquerades a scan, some fake detections and even the live update is fake.

There is a more serious side of these kind of programs, them are a source of threats for your computer, with their hidden connections and hidden processes. For example, even if the creator of this fake anti-spyware is assuring its subscribers that :

Although your branded software will be connecting to our servers for updates, it will not be obvious to your users.

the software can be seen connecting to “64.78.27.90″ on port 80 which by a simple domain lookup is revealed as http://rebrandsoftware.com. I don’t say especially this software is dangerous, because I didn’t detected any direct threats, but can be dangerous, who can guarantee that this fake antivirus once installed will not download and execute after some time various self-executing advertisement banners or pop-ups or even some silent spyware. This is achieved very easy with a programmed  timer embedded in the code and because the persistent spam does not appear immediately after the fake antivirus installation, the end user will not make the connection between the software and the spam received. Even if it’s not the case with this software, only the fact it is not able to detect any real trojan is enough to throw it to the garbage. What is starting with a lie, will continue with a lie, and my recommendation is to be aware of what you are installing, search and read users reviews, to be well documented about what you want to install in the computer is compulsory.

Keep safe !

Edit: The main website  http:// spywaresterilizer.com is now offline and maybe out of business.

Posted in Thoughts. Tagged with .

2 Responses

Leave a Reply