Google fooled by the “Fake Anti-Virus Virus”

You probably know by now about the fake Anti-Virus that is planted everywhere to fool people into buying it, go figure maby it will self update some day and will start stealing bank accounts…
I can’t believe we have come to this to point where it is so spread and has so much different domains and versions and nobody stops them!!!

The internet needs some kind of global FBI to keep control over these criminals!!!
These guys operate from Russia and they are the “180 Solutions” team (i proove it below) which shows everyone that a criminal business in the internet is profitable and grows over the last 5 years, at least if its running from a country safe for cyber criminals (Russia!!!)

These is a wide viral network and they check for existence of any of their products, I saved the list of internet explorer blocked/trusted they look here: http://theinsider.deep-ice.com/evilnetwork.txt

So they infect us through cracks and software installations (fake setups, SFX, exe binding) and p2p (torrent, emule) and of course OS and browser exploits through warez websites.
Still, something is missing… it’s working too well this time! well get this!!

Please join my experiment, let’s assume someone just opens google and wants to download the mp3 of the Sopranos T.V series titled “you got yourself a gun”, so he should search “download mp3 sopranos got yourself a gun”, you can test it yourself:

http://www.google.com/search?hl=iw&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=X1V&q=download+mp3+sopranos+got+yourself+a+gun&btnG=%D7%97%D7%99%D7%A4%D7%95%D7%A9&meta=

Last week result number three was:

Sopranos Theme Song
You woke up this morning Got yourself a gun, Complete Guide to Entertaining – Sopranos Stile! Entertaining with The Sopranos May 25, 2008 Download Sopranos …
www.geocities.com/owhfmqhoqxu/sopranos-theme-song.html – 13k

Now result number six is :

mas woemns rights woems woemsn bottle opener woen woen am woen of …
… up this morning got yourself a woke up this morning got yourself a gun woke … sopranos woke up this morning mp3 woke up this morning mp3 sopranos woke …
http://hauton.net/2/2289/ – 35k

One can clearly see that last week result is very very convincing and the new one is also similar to a way a warez/mp3 website would appear in google, this leads directly to a page with auto download offering of this fraud virus.

1) Why isn’t this blocked by google who “maps all the evil pages in the world”?!
2) Google search engine is helping the bad guys to publish their virus in the top 10 results!

This issue goes way beyond searching for downloads, I even got it seaching people:

http://vivocurtindo.com.br/galeriaa/css/_images/toyota-tazz-wiring/my_searched_keyword1-my_searched_keyword2-home.html

This viral network is so large I truly believe only government power can stop it.
Some of the endless domains they use to spread this virus:

http://hauton.net/

http://www.geocities.com/owhfmqhoqxu/

http://scan.av2008check.com/100567/5/

http://dnld.av2008dl.com/load/setup_100567_4_.exe

http://antivirus-2008pro.com/scanner.php?aff=DB

http://antivir–2008.com/buy.php?aff=1001

http://antimalwareguardpro.com/2009/12/?cmpname=cspffxamg&a=cspamg&l=160&f=cs_189355130&ax=1&ed=2&h=10&ex=5&eu=http%3A%2F%2Fad2cash.net%2F%3Fcmpname%3Dcsppcpc%26a%3Dcsp_amex%26l%3D160%26f%3Dcs_189355130&al=&sub=csp&mt_info=6278_0_25073&rdr=1

http://top-pc-scanner.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=312&lid=1#

http://scan.free-antispyware-scanner.com/100567/4/?q=

http://dnld.getavxp.com/load/setup_100567_4_.exe

http://thefreescanner.com/4913144/1/1/

http://scanner.vav-x-scanner.com/36/?advid=0000004683

http://scanner.ms-scanner.com/35/?advid=0000004683

b.t.w its extremely intelligent to create a “virus not considered as a virus” and spread it as a fraud software which no law enforcement cares about and then once its planted in millions of computers just update it to do steal you want and then even change it back…combination of a breach in the law and in the way viruses are treated by the AV industry.

Share
  • Name

    Where did you prove it was 180 Solutions?

  • http://rafelivgi.blogspot.com/ Rafel Ivgi

    All their domains are here
    http://theinsider.deep-ice.com/evilnetwork.txt

    The trojan looks for all their domains in a computer (you can compare it to the domains in an article i published 4 years ago, http://seclists.org/fulldisclosure/2004/Jun/0050.html)…

    For example we have in common:
    i-lookup.com
    180solutions.com

    They have so many, only they know the complete list :)
    Now we do to….but no one will stop them anyway…

  • Name

    Uhhh… so, you are then saying they are also working with
    Microsoft – live.com
    Earthlink – earthlink.net
    Omniture – 2o7.net

    as those are all in the list.

    The list is just a list of a competitors, search engines, porn sites, etc. which includes advertising/adware networks (180Solutions, Omniture, Zedo, etc.)

  • http://blog.trendmicro.sg Anti Virus

    [...]About 3 percent of the people who see the fake warnings fall for it, forking over $50 for an annual license or $80 for a lifetime license, according to official estimates.

    Last September, a hacker was able to infiltrate rogue antivirus maker Baka Software and discovered that in one period an affiliate made more than $80,000 in about a week.[...]