Internet Anthropologist Think Tank: Fake security sites

  • Search our BLOG

  • HOME
    Terrorist Names SEARCH:

    Sunday, February 22, 2009

    Fake security sites

     Fake security software :
    We did not do a count,
    but if you are using or have used 
    one of these security programs
    You are in trouble.

    We have posted this list as
    a Public Service Announcement.

    All info was collected from 
    While we know the bad guys are making new
    bogus sites all the time this gives you a view of the 

    spywareguard2009m .com(;
    systemguard2009m .com
    spywareguard2009 .com
    systemguard2009 .com
    getsysgd09 .com

    Registrant : Damir Sbil; Email:

    antispyscanner13 .com (;
    sgproductm .com
    sgviralscan .com
    sg10scanner .com
    sg11scanner .com
    sg12scanner .com
    sg9scanner .com
    sgproduct .com

    Registrant: Ahmo Stolica; Email:

    buysysantivirus2009 .com(
    sysav-download .com
    sysav-storage .com
    sysantivirus-check .com
    antispyware-pro-dl .com
    sysantivirus2009 .com
    sysav-download .com
    sysav-storage .com
    sysantivirus-check .com
    antispywarefastcheck .com
    antispyware-scanner-2009 .com
    antispyware-pro-dl .com

    Registrant: Dion Choiniere; Email: (

    Registrant: Maksim Hirivskiy Email:

    DNS servers to keep an eye on, courtesy of UralComp-as Ural Industrial Company LTD (AS48511) :
    ns1.europegigabyte .com
    fastuploadserver .com
    ns1.managehostdns .com
    dns3.systempromns .com
    ns1.freehostns .com
    ns1.singatours .com
    ns1.airflysupport .com
    ns1.eguassembly .com
    ns1.fastfreetest .cn

    rapidspywarescanner .com (
    live-antiviruspc-scan .com
    professional-virus-scan .com
    proantiviruscomputerscan .com
    bestantivirusfastscan .com
    premium-advanced-scanner .com

    Domain owner:
    Name: Aennova M Decisionware
    Organization: NA
    Address: Rua Maestro Cardim 1101   cj. 112
    City: Sgo Paulo
    Province/state: NA
    Country: BR
    Postal Code: 01323
    Phone: +5.5113245388
    Fax: +5.5113245388

    rapidantiviruspcscan .com(
    securedserverdownload .com
    securedonlinewebspace .com
    securedupdateupdatesoftware .com
    bestantivirusdefense .com
    live-pc-antivirus-scan .com
    best-antivirus-protection .com
    proantivirusprotection .com
    best-anti-virus-scanner .com
    best-antivirus-scanner .com
    bestantivirusproscanner .com
    bestantivirusfastscanner .com
    protectedsystemupdates .com
    liveantispywarescan .com
    live-antispyware-scan .com
    internet-antispyware-scan .com

    Domain owner:
    Vadim Selin
    +74952783432 fax: +74952783432
    ul. Vorobieva 98-34
    Moskva Moskovskay oblast 127129

    antivirus-scan-your-pc .com (;
    bestantivirusdefence .com
    best-antivirus-defense .com
    premiumadvancedscan .com
    bestantivirusproscan .com
    best-antivirus-pro-scanner .com
    internetprotectedpayments .com

    Domain owner:
    Name: Nikolai V Chernikov
    Address: yl. Kravchenko 4 korp. 2 kv.17
    City: Moskva
    Province/state: NA
    Country: RU
    Postal Code: 119334

    It's interesting to point out that so far, none of the hundreds of typosquatted domains is taking advantage of a legitimate online payment processor. Instead, they not only self-service themselves, but offer to process payments for other participants in the affiliate network. In respect to these bogus domains, we have the following payment processors working for them :

    secure.softwaresecuredbilling .com ( registered to Viktor Temchenko (
    secure.goeasybill .com ( registered to Chen Qing (
    secure-plus-payments .com ( registered to John Sparck (

    Try the very latest rogue security domains courtesy of three domainers (Fedor Ibragimov, Anton and Ivan Durov ) whose portfolios can always keep you updated about the latest releases of such popular software as The Best Antivirus Cleaner 2008.

    powerfullantivirusscan .com (;;
    protection-update .com
    updatepcprotection .com
    updateyourprotection .com
    mac-imunizator .net (
    avproinstall .com (
    winavpro .com (

    As far as proactive threat intell is concerned, try the following "upcoming fake security software domains" :

    spywaredefender2009 .com
    spywaredestroyer2009 .com
    spywareeliminator2009 .com
    spywareprotector2009 .com

    Last week, the noadware .net (; software was persistently advertised in such a way, mostly by generating Wordpress accounts promising to remove competing software :

    antiviruspro2009.wordpress .com
    ultraantivirus2009.wordpress .com
    smartantivirus.wordpress .com
    antiviruslab2009.wordpress .com
    antivirusvip.wordpress .com
    personaldefender2009.wordpress .com
    malwareremoval.wordpress .com

    Naturally, it didn't take long before blackhat SEO farms were created for the purpose, like these very latest ones :

    removal-tool.blogspot .com
    cgidoctor .com
    spywareremoval .net
    spyware-adware-remover .com
    spywarestop .com
    zero-adware .net
    adware-remove .com
    antispywaresecrets .com
    protectyourcomputerfromspyware .info
    cleanpcfree .net
    spyware-bot  .com .uk
    thepcsecurity .com
    noadware-official-site .com
    spywaredoctorfavor .cn
    removespywareedge .cn
    thespywareremover .com
    virusremovalguru .com
    virusremovalguide .org

    The day when fake security software sites start attracting traffic by promising to remove other fake security software, is the day when we have clear evidence that an ecosystem has emerged.

    premium-pc-scan .com(;;
    antivirus-pc-scan .com (
    securityfullscan .com (
    antivirus-live-scan .com (;
    windefender-2009 .com - (
    windefender2009 .com
    save-my-pc-now .com
    real-antivirus .com
    liveantivirustest .com
    antiviruspctest .com
    premium-live-scan .com
    liveantivirustest .com
    antiviruspersonaltest .com
    mysecuritysupport .com
    updateyourprotection .com
    antivirus-premiumscan .com
    securitylivescan .com
    security-full-scan .com
    secured-liveupdate .com
    livepcupdate .com
    protection-update .com
    antivirus-scan-online .com
    xpsoftupgrade .com
    live-virus-defence .com

    antivirus-freescan .com(
    defendyourpc .com
    mycupupdate .com
    secureupdatecenter .com
    secureupdateserver .com
    webscannertools .com
    secureyourpayments .com
    protection-overview .com

    save-my-pc-now .com (;;
    antivirus-pcscan .com
    hiqualityscan .com
    active-scanner .com
    perfectscanner .com

    livesecurityinfo .com (
    protection-freescan .com
    antvirushelp .com
    prosecurity-audit .com

    scan-my-pc .com (
    securedclickhere .com

    premiumlivescan .com(;;
    quick-live-scan .com

    ekerberos .com(;;
    virtualpcguard .com(
    antivirus-vip .com (

    go-scan-pro .com(
    internet-antivirus-2008 .com
    ia-stat-ia .com
    ia-scanner-pc .com
    ia-scanner-pro .com
    goscanpc .com
    go-iascan .com
    ia-install-pro .com
    ia-scan-pro .com
    ia-scanner-pro .com
    ia-scanpro .com
    ia-scannerpro .com
    ia-free-scanner .com
    ia-scan-now .com

    online-antivirus .net(
    virus-scan-online .com
    online-virus-scanning .com
    scanner-protection .com
    online-scan .net

    s-avirus2009 .com(
    sa-vir2009-buy .com
    s-avir2009-buy .com

    xpas-2009 .com
    xp-as-2009 .com

    antimalwaresuite2009 .com (
    cleaner2009pro .com

    pcdefender2008 .com (
    database-virus .com (

    pcvirusremover2008 .com(;
    registrydoctorpro2008 .com
    powerfulvirusremover2008 .com
    registrydoctor2008 .com
    topregistrydoctor2008 .com
    securefileshredder2009 .com
    securefilesshred .com
    registrydoctor2008-scan .com
    registrydoctor2008-pro .com
    prosecureexpertcleanerpro .com
    supersecurefileshredder .com
    hypersecurefileshredder .com
    securefilesshredder .com
    secureexpertcleaner .com
    winsecureexpertcleaner .com
    prosecureexpertcleaner .com
    yoursecureexpertcleaner .com
    bestsecureexpertcleaner .com
    mysecureexpertcleaner .com
    energysavecenter .com
    virusremover2008plus .com

    malwarecrashpro .com(
    antimalwareguard .com
    malwarecrash .com
    antimalwareguardpro .com    
    antimalwaremasterpro .com

    xp-antispyware-2009 .com(
    xp-antispyware2009 .com(
    xp-as-2009 .com (
    xpantispyware-2009 .com (
    xpas2009 .com (

    killwinpc .com (
    registryupdate .org(
    antivirus-2009-pro .net(

    a-a-v-2008 .com (
    aav2008 .com
    adv-a-v .com

    ietoolsupdate .com (
    iexplorerfile .com

    Registrants of notice for cross-checking purposes :
    Sagent Group  (
    Billy A. Schmitt  (
    Shestakov Yuriy (
    Andrej Kazanski ( ( ( ( (; ( ( ( 

    Antivirus-Alert .com ( where pepato .org a domain that was used in the and IFRAME injections, which back in March was also hosted at Hostfresh (

    softload2008name .com (
    softload2008nm .com
    softload2008n .com
    softload2008jq .com

    microantivir-2009 .com (
    scanner.microantivir-2009 .com
    microantivir2009 .com
    microantivirus-2009 .com
    microantivirus2009 .com

    ms-scan .com (
    msscanner .com
    ms-scanner .com

    Personalantispy .com (
    freepcsecure .com
    quickinstallpack .com
    quickdownloadpro .com
    advancedcleaner .com
    performanceoptimizer .com
    internetanonymizer .com

    ieprogramming .com (
    uptodatepage .com
    fileliveupdate .com
    qwertypages .com
    sharedupdates .com
    ierenewals .com

    norton-antivirus-alert .com
    norton-anti-virus-2007 .com 
    norton-antivirus-2007 .com 
    norton-antivirus2007 .com 
    nortonantivirus2007 .com 
    norton-antivirus-2008 .com 
    nortonantivirus2008 .com 
    d .com 
    norton-antivirus-2009 .com 
    nortonantivirus2009 .com 
    norton-antivirus-2010 .com 
    nortonantivirus2010 .com 
    nortonantivirus360 .com 
    nortonantivirus8 .com 
    nortonantivirusa .com 
    nortonantivirusactivation .com 
    norton-antivirus-alert .com 
    nortonantivirusalerts .com 
    norton--anti-virus .com 
    norton-anti-virus .com 
    norton-antivirus .com 
    nortonanti-virus .com 
    nortonantiviruscom .com 
    nortonantiviruscorporate .com 
    n .com 
    nortonantiviruscoupon .com 
    nortonantivirusdefinition .com 
    nortonantivirusdefinitions .com 
    nortonantivirusdirect .com

    Fake Antivirus Inc. is not going away as long as the affiliate based model remains active. If the real vendors were greedy enough not to share the revenues with others, they would have been the one popping up on the radar, compared to the situation where it's the affiliate network's participations greed that's increasing their visibility online.

    anti-spyware8 .com
    anti-spyware4 .com
    anti-spyware11 .com
    anti-spyware10 .com

    antivirus-cs1 .com
    antivirus-cs14 .com
    antivirus-cs4 .com
    antivirus-cs15 .com
    antivirus-cs5 .com
    antivirus-cs7 .com
    antivirus-cs8 .com
    antivirus-cs9 .com
    trustedpaymenssite .com
    altawebgl-500 .com
    masterspitetds09 .com
    protectionaudit .com
    prt3ctionactiv3scan .com
    prtectionactivescan .com
    smartantivirusv2 .com
    smartantivirus2009v2 .com
    smartantivirus2009v2-buy .com
    smartantivirus-2009v2buy .com
    smart-antivirus2009v2buy .com
    anti-virus-xp .com
    anti-virus-xp .net
    e-antiviruspro .com
    ultimate-anti-virus .com 
    antimalwarewarrior2009 .com

    spyware-buy .com
    superantivirus2009 .com
    total-secure2009 .com
    pcprivacycleanerpro .com
    bestguardownload .com
    trustedantivirus .com
    antivirus-buy1 .com
    spyware-quickscan-2008 .com
    securealertbar .com
    secureclick1 .com
    megantivirus2009 .com 
    micro-antivirus2008 .com
    superantivirus2009 .com 
    advanced-anti-virus .com  
    antivirusmaster2009 .com  
    scanner-online1 .com
    internet-scanner2009 .com
    filescheck-list303 .com
    virus-webscanner .com
    virus9-webscanner .com
    spamnuker .com
    detect-file101 .com
    googlescanners-360 .com
    onlinescannersite9 .com
    bestantivirusscan .com
    hottystars .com
    internet-defenses .com
    globals-advers .com
    quickupdates29 .com
    myscanners101 .com
    myfreescan500 .com
    scanthnet .com
    scanners-pro .com
    megatradetds0 .com
    xp-licensingpages .com
    bestantivirusscan .com

    power-avc .com
    pvrantivirus .com
    online-xp-antivirus-checker .com
    antivir-online-scan .com
    online-win-xpantivirus .com
    tube-911 .com
    favoredmovie .com
    getqtysoftware .com
    softwareportal2008 .com
    megazcodec .com
    soft-upgrade-network .com
    download-base .com
    fastsoftdownloads .com
    software-downloadz .com
    download-soft-basez .com
    plupdate .com
    0scan .com
    virus-online-scan .com
    0scanner .com
    porno-tds .com
    jirolu .com
    virus-online-scanz .com
    red-tubbe .info
    win-xp-antivir-hqscanne .com
    xp-protections .com
    xp-registration .com
    xp2008-protect .com
    getdefender2009 .com
    gettotalsec2008 .com
    msantivirus-xp .com
    xp-licensingpages .com
    protectionpurchase .com
    winxp-antivir-on-line-scan .com 
    antispychecker .com
    errorofbrowser .com
    fresh-video-news .com
    newschannel2008 .com
    internet--daily-news .com
    secure.signupsecurity .com
    xpacodec .com
    xpbcodec .com
    gmkvideo .com
    hqsextube08 .com
    antivirusworld9 .com
    viacodecright1 .com
    viacodecright2 .com
    quickupdates29 .com
    antivirusworld9 .com
    scanthnet .com
    city-codec .com
    citycodec .net
    anothersoftportal09 .com
    viacodecright2 .com
    sextubecodec023dfs41 .com
    hot-sextubedriver2 .com
    viacodecright2 .com

    The domain in question - ( is hosting the binary at bestantivirus2009 .com/setup_1096_MTYwM3wzNXww_.exe and has an IFRAME pointing to huytegygle .com/index.php (

    Here's another with an IFRAME pointing to a different location - /~ave/etc/count.php?o=16.

    Despite that these domains are part of the "International Virus Research Lab" fake domains portfolio, it remains to be seen whether others will start multitasking as well.

    mydwnld .com (;; 
    desktoprepairpackage .com 
    malwareremovingtool .com 
    spywareprotectiontool .com 
    pcantimalwaresolution .com
    pcsolutionshelp .com 
    removespywarethreats .com

    yournetcheckonline .com ( 
    bestnetcheckonline .com 
    easynetcheckonline .com 
    yourwebexamine .com 
    bestwebexamine .com 
    easywebexamine .com 
    yourinternetexamine .com 
    myinternetexamine .com 
    linkcanlive .com 
    yourwebscanlive .com 
    easywebscanlive .com 
    internethomecheck .com 
    websecurecheck .com 
    websportscheck .com 
    websmartcheck .com 
    yournetascertain .com 
    yournetcheckpro .com 
    bestwebscanpro .com 
    security-check-center .com 
    downloadantivirusplus .com 
    theantivirusplus .com 
    myantivirusplus .com 
    safeyouthnet .com 
    av-plus-support .com

    antispywareproupdates .com ( Jeanne M Bartels Email: 
    microsoft.infosecuritycenter .com 
    microsoft.softwaresecurityhelp .com 
    professionalupdateservice .com 
    platinumsecurityupdate .com 
    platinumsecurityupdate .com
    antispywarequickupdates .com ( 

    paymentsystemonline .com ( Jerom M Collins 
    liveupdatesoftware .com 
    royalsoftwareupdate .com 
    protectionsoftwarecheck .com 
    securitysoftwarecheck .com 
    privateupdatesystem .com 
    updatesoftwarecenter .com 
    updateprotectioncenter .com 
    updatepcsecuritycenter .com 
    powerdownloadserver .com 
    rapidsoftwareupdates .com 
    professionalsoftwareupdates .com 
    allsoftwarepayments .com 
    powerfullantivirusproduct .com 
    securedprostatsupdates .cn

    liveantimalwareproscan .com ( Giang B Ahrens Email: 
    liveantimalwarequickscnan .com 
    online-antimalware-scanner .com 
    advancedprotectionscanner .com 
    advancedproantivirusscanner .com

    securedsystemupdates .com ( Anatoliy Lushko Email: 
    premiumworldpayments .com 
    systemsecuritytool .com ( 
    systemsecurityonline .com 
    internetsafetyexamine .com ( 
    youronlinestability .com 
    promotion-offer .com (;;; Email: Roland Peters 

    During March, a new type of 
    scareware with elements of ransomware started circulating in the wild. It will be interesting to monitor whether it will become the de-facto standard for optimizing revenues out of rogue security software. 



    Post a Comment

    Subscribe to Post Comments [Atom]

    << Home